diff --git a/.cargo/audit.toml b/.cargo/audit.toml new file mode 100644 index 000000000..3b9513abf --- /dev/null +++ b/.cargo/audit.toml @@ -0,0 +1,10 @@ +[advisories] +ignore = [ + # remove_dir_all (used by deprecated tempdir crate) + "RUSTSEC-2023-0018", + # DoS in WebPKI that comes with tide_disco + "RUSTSEC-2023-0052", + # Tungstenite allows remote attackers to cause a denial of service + # Dependency of async-tungstenite -> tide-websockets / surf-disco + "RUSTSEC-2023-0065", +] diff --git a/.env b/.env index e90e29303..d1a551bd5 100644 --- a/.env +++ b/.env @@ -84,4 +84,4 @@ ESPRESSO_SEQUENCER_DEPLOY_LIGHTCLIENT_CONTRACT=yes # Load generator ESPRESSO_SUBMIT_TRANSACTIONS_DELAY=1s -ESPRESSO_SUBMIT_TRANSACTIONS_PORT=50010 +ESPRESSO_SUBMIT_TRANSACTIONS_PORT=44010 diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 000000000..e81c4d41b --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,19 @@ +name: Security audit +on: + push: + # For PR we only want to fail if dependencies were changed. + paths: + - "**/Cargo.toml" + - "**/Cargo.lock" + # Run the audit job once a day on main. + schedule: + - cron: "0 0 * * *" +jobs: + security_audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + # See https://github.com/marketplace/actions/rust-audit-check for docs + - uses: actions-rs/audit-check@v1 + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 7ae431720..67e48ebfd 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -35,6 +35,3 @@ jobs: - name: Check run: cargo clippy --workspace --all-features --all-targets -- -D warnings - - - name: Audit - run: cargo audit --ignore RUSTSEC-2023-0018 --ignore RUSTSEC-2023-0052 --ignore RUSTSEC-2023-0065 diff --git a/.github/workflows/test-demo-native.yml b/.github/workflows/test-demo-native.yml index 611319c06..4d5af3c62 100644 --- a/.github/workflows/test-demo-native.yml +++ b/.github/workflows/test-demo-native.yml @@ -50,4 +50,4 @@ jobs: run: | export PATH="$PWD/target/release:$PATH" scripts/demo-native --tui=false & - scripts/smoke-test-demo + timeout -v 600 scripts/smoke-test-demo diff --git a/Cargo.lock b/Cargo.lock index 540799243..587a1ae46 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -5576,9 +5576,9 @@ dependencies = [ [[package]] name = "mio" -version = "0.8.10" +version = "0.8.11" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f3d0b296e374a4e6f3c7b0a1f5a51d748a0d34c85e7dc48fc3fa9a87657fe09" +checksum = "a4a650543ca06a924e8b371db273b2756685faae30f8487da1b56505a8f78b0c" dependencies = [ "libc", "wasi 0.11.0+wasi-snapshot-preview1", @@ -9378,6 +9378,12 @@ version = "0.11.0+wasi-snapshot-preview1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" +[[package]] +name = "wasite" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b8dad83b4f25e74f184f64c43b150b91efe7647395b42289f38e50566d82855b" + [[package]] name = "wasm-bindgen" version = "0.2.91" @@ -9483,11 +9489,12 @@ checksum = "5f20c57d8d7db6d3b86154206ae5d8fba62dd39573114de97c2cb0578251f8e1" [[package]] name = "whoami" -version = "1.4.1" +version = "1.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22fc3756b8a9133049b26c7f61ab35416c130e8c09b660f5b3958b446f52cc50" +checksum = "0fec781d48b41f8163426ed18e8fc2864c12937df9ce54c88ede7bd47270893e" dependencies = [ - "wasm-bindgen", + "redox_syscall", + "wasite", "web-sys", ] diff --git a/README.md b/README.md index 449ef8712..7eefc2beb 100644 --- a/README.md +++ b/README.md @@ -3,6 +3,7 @@ [![Build](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/build.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/build.yml) [![Contracts](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/contracts.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/contracts.yml) [![Lint](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/lint.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/lint.yml) +[![Audit](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/audit.yml/badge.svg)](https://github.com/EspressoSystems/espresso-sequencer/actions/workflows/audit.yml) The Espresso Sequencer offers rollups credible neutrality and enhanced interoperability, without compromising on scale. Consisting of a data availability solution and a decentralized network of nodes that sequences transactions, layer-2 diff --git a/scripts/smoke-test-demo b/scripts/smoke-test-demo index 0e9a85cd5..39a5609e0 100755 --- a/scripts/smoke-test-demo +++ b/scripts/smoke-test-demo @@ -3,7 +3,7 @@ set -e SERVER=http://localhost:50000 -LOAD_GENERATOR=http://localhost:50010 +LOAD_GENERATOR=http://localhost:44010 # Wait for the load generator to start.