diff --git a/.commitlint/hooks/commit-msg b/.commitlint/hooks/commit-msg deleted file mode 100755 index afeb099b..00000000 --- a/.commitlint/hooks/commit-msg +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -if ! type commitlint >/dev/null 2>/dev/null; then - echo "" - echo "commitlint could not be found" - echo "try again after installing commitlint or add commitlint to PATH" - echo "" - exit 2; -fi - -commitlint lint --message $1 - diff --git a/.commitlint/hooks/pre-commit b/.commitlint/hooks/pre-commit deleted file mode 100755 index 96d7291b..00000000 --- a/.commitlint/hooks/pre-commit +++ /dev/null @@ -1,4 +0,0 @@ -#!/bin/bash - -make lint || exit 1 -make test \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml index c7edf884..df200a9c 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,7 +1,11 @@ version: 2 updates: - package-ecosystem: 'gomod' - directory : "/" + directory: "/" + schedule: + interval: "daily" + target-branch: QA-Test + - package-ecosystem: github-actions + directory: "/" schedule: interval: "daily" - target-branch: QA-Test \ No newline at end of file diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a32da907..346adf25 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,10 +17,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' @@ -38,14 +38,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version-file: 'go.mod' - name: golangci-lint - uses: golangci/golangci-lint-action@v4 + uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc #v4.0.1 with: version: v1.55.2 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index a69b6be9..aac7daa1 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -24,18 +24,18 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 with: languages: ${{ matrix.language }} queries: +security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@5973e2313ac1b9aaedb1f911a1e91228cde07d28 # v2.26.0 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml new file mode 100644 index 00000000..e5249d4e --- /dev/null +++ b/.github/workflows/dependency-review.yml @@ -0,0 +1,14 @@ +name: 'Dependency Review' +on: [pull_request] + +permissions: + contents: read + +jobs: + dependency-review: + runs-on: ubuntu-latest + steps: + - name: 'Checkout Repository' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: 'Dependency Review' + uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 \ No newline at end of file diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml index a7c810a3..da2e3045 100644 --- a/.github/workflows/deploy-dev.yml +++ b/.github/workflows/deploy-dev.yml @@ -1,4 +1,4 @@ -name: CD for flyover-api dev +name: CD for flyover-api dev on: push: @@ -15,13 +15,13 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v2 - + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 with: role-to-assume: ${{ secrets.DEV_ROLE_ARN }} - aws-region: ${{ secrets.AWS_REGION }} + aws-region: ${{ secrets.AWS_REGION }} - name: Execute deployment command on EC2 instance run: | diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml deleted file mode 100644 index c1509569..00000000 --- a/.github/workflows/e2e.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: LPS E2E test - -on: - pull_request: - branches: - - '*' - -jobs: - e2e-test: - runs-on: ubuntu-18.04 - steps: - - name: Set up Go 1.18 - uses: actions/setup-go@v3 - with: - go-version: 1.18 - - - name: Check out repository code - uses: actions/checkout@v2 - - - name: Building LPS environment... - run: cd docker-compose/local/ && LPS_STAGE=regtest sh lps-env.sh build - - - name: Setting LPS environment up... - run: cd docker-compose/local/ && LPS_STAGE=regtest sh lps-env.sh up && sleep 300 - - - name: Checking LPS health... - run: docker ps && curl -X GET http://localhost:8080/health - - - name: Shutting LPS environment down... - run: cd docker-compose/local/ && LPS_STAGE=regtest sh lps-env.sh down diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml new file mode 100644 index 00000000..9325d67c --- /dev/null +++ b/.github/workflows/scorecard.yml @@ -0,0 +1,42 @@ +name: Scorecard supply-chain security +on: + branch_protection_rule: + schedule: + - cron: '0 0 * * 1' + push: + branches: [ "master" ] + +permissions: read-all + +jobs: + analysis: + name: Scorecard analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: "Checkout code" + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + with: + persist-credentials: false + + - name: "Run analysis" + uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1 + with: + results_file: results.sarif + results_format: sarif + publish_results: true + + - name: "Upload artifact" + uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: "Upload to code-scanning" + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif \ No newline at end of file diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 00000000..2457ed97 --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,46 @@ +repos: + - repo: https://github.com/golangci/golangci-lint + rev: v1.55.2 + hooks: + - id: golangci-lint-full + - repo: https://github.com/commitizen-tools/commitizen + rev: v3.29.0 + hooks: + - id: commitizen + - repo: local + hooks: + - id: unit-tests + name: LPS Unit Tests + entry: make test + language: system + types: [go] + - repo: local + hooks: + - id: code-style + name: LPS Code Style Check + entry: make lint + language: system + types: [go] + - repo: https://github.com/gitleaks/gitleaks + rev: v8.16.3 + hooks: + - id: gitleaks + - repo: https://github.com/jumanjihouse/pre-commit-hooks + rev: 3.0.0 + hooks: + - id: shellcheck + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.4.0 + hooks: + - id: "trailing-whitespace" + - id: "end-of-file-fixer" + exclude: '\.tf\.json$' + - id: "check-yaml" + args: + - "--unsafe" + - id: "check-executables-have-shebangs" + - id: "check-case-conflict" + - repo: https://github.com/mrtazz/checkmake.git + rev: 0.2.2 + hooks: + - id: checkmake diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..a9d94e73 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +MIT License + +Copyright (c) 2024 RootstockLabs + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. diff --git a/Makefile b/Makefile index 3c5f2917..6a1d7497 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -.PHONY: test +.PHONY: test all clean COVER_FILE = coverage/cover.out TEMPORAL_COVER_FILE =$(shell pwd)/coverage/cover.out.temp @@ -6,14 +6,11 @@ TEMPORAL_COVER_FILE =$(shell pwd)/coverage/cover.out.temp filter_coverage_file = grep -v "internal/adapters/dataproviders/rootstock/bindings" $(1) > coverage/temp.txt && mv coverage/temp.txt $(1) tools: download - go install github.com/parvez3019/go-swagger3@latest + go install github.com/parvez3019/go-swagger3@fef3d30b0707883c389261bf26297eebd10d7216 #v1.0.3 go install golang.org/x/vuln/cmd/govulncheck@latest - go install github.com/conventionalcommit/commitlint@latest - go env GOPATH + pip3 install pre-commit && pre-commit install curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(shell go env GOPATH)/bin v1.55.2 - # installation with brew is because mockery team doesnt recommend to install with go install, - # if you don't have brew feel free to comment this line and install mockery with other method - brew install mockery && brew upgrade mockery + brew install mockery && brew upgrade mockery # installation with brew is because mockery team doesnt recommend to install with go install, if you don't have brew feel free to comment this line and install mockery with other method download: go mod download @@ -37,16 +34,13 @@ api: go-swagger3 --module-path . \ --main-file-path ./cmd/application/main.go \ --handler-path ./internal/adapters/entrypoints/rest/handlers \ - --output OpenApi.yml \ - --schema-without-pkg \ - --generate-yaml true + --output OpenApi.yml --schema-without-pkg --generate-yaml true coverage: clean mkdir -p coverage go test -v -race -covermode=atomic -coverpkg=./pkg/...,./internal/...,./cmd/... -coverprofile=$(TEMPORAL_COVER_FILE) ./pkg/... ./internal/... ./cmd/... $(call filter_coverage_file, $(TEMPORAL_COVER_FILE)) - go tool cover -func "$(TEMPORAL_COVER_FILE)" - go tool cover -html="$(TEMPORAL_COVER_FILE)" + go tool cover -func "$(TEMPORAL_COVER_FILE)" && go tool cover -html="$(TEMPORAL_COVER_FILE)" rm $(TEMPORAL_COVER_FILE) coverage-report: clean diff --git a/README.md b/README.md index e65d0252..b64935c7 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Liquidity Provider Server +[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/rsksmart/liquidity-provider-server/badge)](https://scorecard.dev/viewer/?uri=github.com/rsksmart/liquidity-provider-server) -This is a server that interacts with a [Liquidity Bridge Contract (LBC)](https://github.com/rsksmart/liquidity-bridge-contract) to provide liquidity for users +This is a server that interacts with a [Liquidity Bridge Contract (LBC)](https://github.com/rsksmart/liquidity-bridge-contract) to provide liquidity for users as part of the Flyover protocol. This server performs all the necessary operations to play the role of the Liquidity Provider, involving transactions in both Rootstock and Bitcoin networks. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..068a96b4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,27 @@ +# Reporting Security Issues + +The Rootstock team and community take security bugs in Rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + + +## Responsible Disclosure + +For all security related issues, the Liquidity Provider Server has two main points of contact. Reach us at or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/liquidity-provider-server/security/advisories/new) tab. + +The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/liquidity-provider-server/issues). + +## Vulnerability Handling + +### Response Time + +RootstockLabs will make the best effort to meet the following response times for reported vulnerabilities: + +* Time to first response (from report submit) - 5 business days +* Time to triage (from report submit) - 7 business days + +We’ll try to keep you informed about our progress throughout the process. + +### Disclosure Policy + +Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/).