From 283bd069bd87cd21e1ce6a8f9693c56a54a62d79 Mon Sep 17 00:00:00 2001 From: Goldie Date: Sat, 14 Sep 2024 20:35:33 +0000 Subject: [PATCH 01/13] feat: add semgrep security issues scanning --- .github/workflows/run-semgrep.yaml | 34 ++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 .github/workflows/run-semgrep.yaml diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml new file mode 100644 index 000000000..a909db2c0 --- /dev/null +++ b/.github/workflows/run-semgrep.yaml @@ -0,0 +1,34 @@ +name: Run Semgrep + +on: + pull_request: {} + workflow_dispatch: {} + +jobs: + semgrep: + name: Scan + runs-on: ubuntu-latest + + container: + image: returntocorp/semgrep + + if: (github.actor != 'dependabot[bot]') + + steps: + - uses: actions/checkout@v3 + + - name: Fetch semgrep rules + uses: actions/checkout@v3 + with: + repository: decurity/semgrep-smart-contracts + path: rules + + - run: semgrep ci --sarif --output=semgrep.sarif || true + env: + SEMGREP_RULES: rules/solidity/security rules/solidity/performance + + - name: Upload findings to GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: semgrep.sarif + if: always() \ No newline at end of file From 48069c5b823ee238fbef0f55d5169b87dcbe3c65 Mon Sep 17 00:00:00 2001 From: Goldie Date: Tue, 17 Sep 2024 13:48:02 +0000 Subject: [PATCH 02/13] fix: fix semgrep scanning issue --- .github/workflows/run-semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index a909db2c0..c2d729af5 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -23,7 +23,7 @@ jobs: repository: decurity/semgrep-smart-contracts path: rules - - run: semgrep ci --sarif --output=semgrep.sarif || true + - run: semgrep scan --sarif --output=semgrep.sarif packages/contracts/src/dollar || true env: SEMGREP_RULES: rules/solidity/security rules/solidity/performance From 820f9fa3338a1c69a05ad874968c0654bd63b4c1 Mon Sep 17 00:00:00 2001 From: Goldie Date: Tue, 17 Sep 2024 14:14:20 +0000 Subject: [PATCH 03/13] fix: run on push and pull request --- .github/workflows/run-semgrep.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index c2d729af5..14c62e340 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -1,8 +1,8 @@ name: Run Semgrep on: - pull_request: {} - workflow_dispatch: {} + push: + workflow_dispatch: jobs: semgrep: @@ -23,7 +23,7 @@ jobs: repository: decurity/semgrep-smart-contracts path: rules - - run: semgrep scan --sarif --output=semgrep.sarif packages/contracts/src/dollar || true + - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar || true env: SEMGREP_RULES: rules/solidity/security rules/solidity/performance From 77a909384788c57cbff477a9441cf68463ceab86 Mon Sep 17 00:00:00 2001 From: Goldie Date: Tue, 17 Sep 2024 14:30:21 +0000 Subject: [PATCH 04/13] fix: add back pull_request run --- .github/workflows/run-semgrep.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index 14c62e340..cde080ca1 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -2,6 +2,7 @@ name: Run Semgrep on: push: + pull_request: workflow_dispatch: jobs: From aa758b745b67bc08ebc983d3b0c9f9547a2b6227 Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:13:37 +0300 Subject: [PATCH 05/13] ci: test --- .github/workflows/run-semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index cde080ca1..ad7e7ae59 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -24,7 +24,7 @@ jobs: repository: decurity/semgrep-smart-contracts path: rules - - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar || true + - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --verbose || true env: SEMGREP_RULES: rules/solidity/security rules/solidity/performance From 3741d4ceb3cddda43dda9a91cd9a92798f63af14 Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:16:30 +0300 Subject: [PATCH 06/13] ci: test --- .github/workflows/run-semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index ad7e7ae59..6c610f33c 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -26,7 +26,7 @@ jobs: - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --verbose || true env: - SEMGREP_RULES: rules/solidity/security rules/solidity/performance + SEMGREP_RULES: rules/solidity/security - name: Upload findings to GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 From a88e853684f81ec5a229d0f278da6d5ce0f4d3e7 Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:34:12 +0300 Subject: [PATCH 07/13] ci: test --- .github/workflows/run-semgrep.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index 6c610f33c..2dfc015e6 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -24,7 +24,7 @@ jobs: repository: decurity/semgrep-smart-contracts path: rules - - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --verbose || true + - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --suppress-errors false || true env: SEMGREP_RULES: rules/solidity/security From 70071d74ad91b13dc8c019af2f6eae12418a4d4e Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:37:34 +0300 Subject: [PATCH 08/13] ci: test --- .github/workflows/run-semgrep.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index 2dfc015e6..7977a4f8c 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -24,9 +24,10 @@ jobs: repository: decurity/semgrep-smart-contracts path: rules - - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --suppress-errors false || true + - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar || true env: SEMGREP_RULES: rules/solidity/security + SEMGREP_SUPPRESS_ERRORS: false - name: Upload findings to GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 From 27c3e39cabaa103e2c702c81d2aac53d1e3e9b20 Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:40:05 +0300 Subject: [PATCH 09/13] ci: test --- .github/workflows/run-semgrep.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index 7977a4f8c..5f36fe2b4 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -24,10 +24,9 @@ jobs: repository: decurity/semgrep-smart-contracts path: rules - - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar || true + - run: semgrep ci --sarif --output=semgrep.sarif --include packages/contracts/src/dollar --no-suppress-errors env: SEMGREP_RULES: rules/solidity/security - SEMGREP_SUPPRESS_ERRORS: false - name: Upload findings to GitHub Advanced Security Dashboard uses: github/codeql-action/upload-sarif@v2 From e68c548b51f987e39eb38dcd8fbe847fbc7887f2 Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:49:32 +0300 Subject: [PATCH 10/13] ci: test --- .semgrepignore | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .semgrepignore diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..3b3bcff3a --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,4 @@ +# deprecated contracts +packages/contracts/src/dollar/core/CrediftNft.sol +packages/contracts/src/dollar/core/StakingShare.sol +packages/contracts/src/dollar/libraries/LibCreditNftManager.sol From 496513b72a43ebc6086493c3176dd9cc0b9c333f Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:51:40 +0300 Subject: [PATCH 11/13] ci: test --- .semgrepignore | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.semgrepignore b/.semgrepignore index 3b3bcff3a..781f01103 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1,4 +1,8 @@ +# mocks +packages/contracts/src/dollar/mocks + # deprecated contracts -packages/contracts/src/dollar/core/CrediftNft.sol +packages/contracts/src/dollar/core/CreditNft.sol packages/contracts/src/dollar/core/StakingShare.sol packages/contracts/src/dollar/libraries/LibCreditNftManager.sol +packages/contracts/src/dollar/libraries/LibDollarMintExcess.sol From e21970e60a4431f27e6e9181c31d696c8642cb86 Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:53:47 +0300 Subject: [PATCH 12/13] ci: test --- .semgrepignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.semgrepignore b/.semgrepignore index 781f01103..7a613e799 100644 --- a/.semgrepignore +++ b/.semgrepignore @@ -1,5 +1,5 @@ # mocks -packages/contracts/src/dollar/mocks +packages/contracts/src/dollar/mocks/ # deprecated contracts packages/contracts/src/dollar/core/CreditNft.sol From 258ff613afe233e1830a3b5c429e7ef20e9f30fb Mon Sep 17 00:00:00 2001 From: rndquu Date: Mon, 30 Sep 2024 11:57:19 +0300 Subject: [PATCH 13/13] ci: test --- .github/workflows/run-semgrep.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/run-semgrep.yaml b/.github/workflows/run-semgrep.yaml index 5f36fe2b4..bcc45a4f0 100644 --- a/.github/workflows/run-semgrep.yaml +++ b/.github/workflows/run-semgrep.yaml @@ -1,9 +1,13 @@ name: Run Semgrep on: + workflow_dispatch: push: + paths: + - '**.sol' pull_request: - workflow_dispatch: + paths: + - '**.sol' jobs: semgrep: