upstream update

.circleci/config.yml

@@ -1,13 +1,13 @@
 ---
 version: 2.1
 
-orbs:
-  slack: circleci/slack@3.4.2
-
 executors:
   executor_med:  # 2cpu, 4G ram
     docker:
-      - image: circleci/openjdk:11.0.4-jdk-stretch
+      - image: cimg/openjdk:17.0
+        auth:
+          username: $DOCKER_USER_RO
+          password: $DOCKER_PASSWORD_RO             
     resource_class: medium
     working_directory: ~/project
     environment:
@@ -16,21 +16,24 @@ executors:
 
   executor_large: # 4cpu, 8G ram
     docker:
-      - image: circleci/openjdk:11.0.4-jdk-stretch
+      - image: cimg/openjdk:17.0
+        auth:
+          username: $DOCKER_USER_RO
+          password: $DOCKER_PASSWORD_RO     
     resource_class: large
     working_directory: ~/project
     environment:
       JAVA_TOOL_OPTIONS: -Xmx4096m
       GRADLE_OPTS: -Dorg.gradle.daemon=false -Dorg.gradle.parallel=true -Dorg.gradle.workers.max=4 -Xmx4096m
 
-  executor_machine: # 2cpu , 8G ram
-    machine:
-      image: ubuntu-1604:201903-01 #Ubuntu 16.04, docker 18.09.3, docker-compose 1.23.1
-      docker_layer_caching: true
+  trivy_executor:
+    docker:
+      - image: docker:stable-git
+        auth:
+          username: $DOCKER_USER_RO
+          password: $DOCKER_PASSWORD_RO  
+    resource_class: small
     working_directory: ~/project
-    environment:
-      JAVA_TOOL_OPTIONS: -Xmx4096m
-      GRADLE_OPTS: -Dorg.gradle.daemon=false -Dorg.gradle.parallel=true -Dorg.gradle.workers.max=2 -Xmx4096m
 
 commands:
   prepare:
@@ -69,25 +72,24 @@ commands:
           name: Gather test results
           when: always
           command: |
-            FILES=`find . -name reports`
+            FILES=`find . -name reports -not -path './build/reports'`
             for FILE in $FILES
             do
               MODULE=`echo "$FILE" | sed -e 's@./\(.*\)/build/reports@\1@'`
               TARGET="build/test-reports/$MODULE"
+              SOURCE="${FILE}/tests/test"
               mkdir -p "$TARGET"
-              cp -rf ${FILE}/*/* "$TARGET"
+              if [[ -d "$SOURCE" ]]; then
+                  cp -rf "$SOURCE" "$TARGET"
+              fi
             done
+            if [[ -f 'build/reports/dependency-check-report.html' ]]; then
+              cp 'build/reports/dependency-check-report.html' 'build/test-reports'
+            fi
       - store_artifacts:
           path: build/test-reports
           destination: test-reports
 
-  notify:
-    description: "Notify Slack"
-    steps:
-      - slack/status:
-          fail_only: true
-          only_for_branches: 'master'
-
 jobs:
   build:
     executor: executor_large
@@ -97,6 +99,11 @@ jobs:
           name: Build
           command: |
             ./gradlew --no-daemon --parallel build
+      - run:
+          name: Dependency vulnerability scan
+          no_output_timeout: 40m
+          command: |
+            ./gradlew --no-daemon -Dorg.gradle.parallel=false dependencyCheckAggregate
       - run:
           name: Test
           no_output_timeout: 20m
@@ -107,7 +114,6 @@ jobs:
           no_output_timeout: 20m
           command: |
             ./gradlew --no-daemon --parallel integrationTest --info
-      - notify      
       - capture_test_results
       - capture_test_reports
       - save_cache:
@@ -130,7 +136,6 @@ jobs:
           no_output_timeout: 20m
           command: |
             ./gradlew --no-daemon --parallel acceptanceTest
-      - notify
       - capture_test_results
       - capture_test_reports
 
@@ -141,10 +146,6 @@ jobs:
       - setup_remote_docker
       - attach_workspace:
           at: ~/project
-      - run:
-          name: hadoLint
-          command: |
-            docker run --rm -i hadolint/hadolint < docker/Dockerfile
       - run:
           name: build image
           command: |
@@ -153,21 +154,24 @@ jobs:
           name: test image
           command: |
             mkdir -p docker/reports
-            ./gradlew --no-daemon testDocker
-      - notify            
+            ./gradlew --no-daemon testDocker        
 
   publish:
     executor: executor_med
     steps:
       - prepare
+      - run:
+          name: Install Python3
+          command: |
+            sudo apt update
+            sudo apt install python3 python3-pip python3-venv
       - attach_workspace:
           at: ~/project
       - run:
           name: Publish
           command: |
-            ./gradlew --no-daemon --parallel bintrayUpload
-      - notify
-
+            ./gradlew --no-daemon --parallel cloudSmithUpload publish
+
   publishDocker:
     executor: executor_med
     steps:
@@ -178,50 +182,85 @@ jobs:
       - run:
           name: Publish Docker
           command: |
-            docker login --username "${DOCKER_USER}" --password "${DOCKER_PASSWORD}"
+            docker login --username "${DOCKER_USER_RW}" --password "${DOCKER_PASSWORD_RW}"
+
+            # dct signing setup
+            mkdir -p $HOME/.docker/trust/private
+            echo $DCT_KEY | base64 --decode > $HOME/.docker/trust/private/$DCT_HASH.key
+            chmod 600 $HOME/.docker/trust/private/$DCT_HASH.key
+            docker trust key load $HOME/.docker/trust/private/$DCT_HASH.key --name ecosystem
+
             ./gradlew --no-daemon --parallel "-Pbranch=${CIRCLE_BRANCH}" dockerUpload
-      - notify
-
+
+  dockerScan:
+    executor: trivy_executor
+    steps:
+      - prepare
+      - setup_remote_docker:
+          docker_layer_caching: false
+      - run:
+          name: Install trivy
+          command: |
+            apk add --update-cache --upgrade curl bash
+            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
+      - run:
+          name: Scan with trivy
+          shell: /bin/sh
+          command: |
+            trivy -q image --exit-code 1 --no-progress --severity HIGH,CRITICAL --ignorefile "gradle/trivyignore.txt" --timeout 10m "consensys/ethsigner:develop" 
+
 workflows:
   version: 2
-  nightly:
-    triggers:
-      - schedule:
-          cron: "0 11 * * *"
-          filters:
-            branches:
-              only:
-                - master
-    jobs:
-      - build
-      - acceptanceTests:
-          requires:
-            - build
   default:
     jobs:
-      - build
+      - build:
+          context:
+            - protocols-dockerhub
+          filters:
+            tags: &filters-release-tags
+              only: /^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?/
       - acceptanceTests:
           requires:
             - build
+          context:
+            - protocols-dockerhub
+            - protocols-signers
+          filters:
+            tags:
+              <<: *filters-release-tags
       - buildDocker:
           requires:
             - build
+          context:
+            - protocols-dockerhub
+          filters:
+            tags:
+              <<: *filters-release-tags
       - publish:
           filters:
             branches:
               only:
                 - master
                 - /^release-.*/
+            tags:
+              <<: *filters-release-tags
           requires:
             - build
             - acceptanceTests
+          context:
+            - protocols-dockerhub
+            - protocols-cloudsmith
       - publishDocker:
           filters:
             branches:
               only:
                 - master
                 - /^release-.*/
+            tags:
+              <<: *filters-release-tags
           requires:
             - build
             - acceptanceTests
             - buildDocker
+          context:
+            - protocols-dockerhub

.github/pull_request_template.md

@@ -0,0 +1,16 @@
+<!-- Thanks for sending a pull request! Please check out our contribution guidelines: -->
+<!-- https://github.com/ConsenSys/ethsigner/blob/master/CONTRIBUTING.md -->
+
+## PR Description
+
+## Fixed Issue(s)
+<!-- Please link to fixed issue(s) here using format: fixes #<issue number> -->
+<!-- Example: "fixes #2" -->
+
+## Documentation
+
+- [ ] I thought about documentation and added the `doc-change-required` label to this PR if updates are required.
+
+## Changelog
+
+- [ ] I thought about adding a changelog entry, and added one if I deemed necessary.

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '0 19 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        queries: security-and-quality
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/trivy-analysis.yml

@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: build
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '0 19 * * 0'
+
+jobs:
+  build:
+    name: Build
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+      - name: Build an image from Dockerfile
+        run: |
+          ./gradlew --no-daemon --parallel build -x test distDocker
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2
+        with:
+          image-ref: 'consensys/ethsigner:develop'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'

.gitignore

@@ -26,3 +26,4 @@ tmp/
 build/
 out/
 docker/reports/*
+.vscode