mardizzone/pos-944 Snyk integration

.github/workflows/ci.yml

@@ -14,18 +14,21 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Update Path
       run: echo "$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)" >> $GITHUB_PATH # Make it accessible from runner
     - name: Install solc
       run: |
         set -x
-        wget -c https://github.com/ethereum/solidity/releases/download/v0.5.12/solc-static-linux
+        wget -c https://github.com/ethereum/solidity/releases/download/v0.5.17/solc-static-linux
         mv solc-static-linux solc
         chmod +x solc
         solc --version
     - name: Setup Node.js environment
-      uses: actions/setup-node@v1.4.4
+      uses: actions/setup-node@v3
+      with:
+        node-version: '16'
+        registry-url: 'https://registry.npmjs.org'
     - name: Generate genesis file
       run: bash generate.sh 15001 heimdall-15001
     - name: Run tests

.github/workflows/security-ci.yml

@@ -0,0 +1,30 @@
+name: Security CI
+on: [push, pull_request]
+
+jobs:
+  snyk:
+    name: Snyk
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --org=${{ secrets.SNYK_ORG }} --severity-threshold=medium --sarif-file-output=snyk.sarif
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+
+  solhint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Get node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: "16.x"
+      - run: npm ci
+      - run: npx solhint "contracts/**/*.sol"

.gitignore

@@ -5,3 +5,7 @@ contracts/BorValidatorSet.sol
 pids
 logs
 genesis.json
+
+.idea
+
+.dccache

.snyk

@@ -0,0 +1,125 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  'snyk:lic:npm:ethereumjs:tx:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:15:06.869Z
+  'snyk:lic:npm:ethereumjs-tx:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:15:16.050Z
+  'snyk:lic:npm:ethereumjs-util:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:16:10.153Z
+  'snyk:lic:npm:rlp:MPL-2.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:17:01.101Z
+  'snyk:lic:npm:web3:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:18:01.101Z
+  'snyk:lic:npm:web3-bzz:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:01.101Z
+  'snyk:lic:npm:web3-core:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:02.520Z
+  'snyk:lic:npm:web3-core-helpers:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:03.100Z
+  'snyk:lic:npm:web3-core-method:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:03.585Z
+  'snyk:lic:npm:web3-core-promievent:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:19:03.733Z
+  'snyk:lic:npm:web3-core-requestmanager:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:00.000Z
+  'snyk:lic:npm:web3-core-subscriptions:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:00.000Z
+  'snyk:lic:npm:web3-eth:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:01.000Z
+  'snyk:lic:npm:web3-eth-abi:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:02.000Z
+  'snyk:lic:npm:web3-eth-accounts:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:03.000Z
+  'snyk:lic:npm:web3-eth-contract:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:04.000Z
+  'snyk:lic:npm:web3-eth-ens:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:05.000Z
+  'snyk:lic:npm:web3-eth-iban:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:06.000Z
+  'snyk:lic:npm:web3-eth-personal:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:07.000Z
+  'snyk:lic:npm:web3-net:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:08.000Z
+  'snyk:lic:npm:web3-providers-http:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:09.000Z
+  'snyk:lic:npm:web3-providers-ipc:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:10.000Z
+  'snyk:lic:npm:web3-providers-ws:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:11.000Z
+  'snyk:lic:npm:web3-shh:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:12.000Z
+  'snyk:lic:npm:web3-utils:LGPL-3.0':
+    - '*':
+        reason: 'As open source org, we have no issues with licenses'
+        created: 2022-11-14T15:20:13.000Z
+  'SNYK-JS-OPENZEPPELINSOLIDITY-2965800':
+    - '*':
+        reason: 'No upgrade or patch available. See https://security.snyk.io/vuln/SNYK-JS-OPENZEPPELINSOLIDITY-2965800'
+        created: 2022-11-15T09:14:00.000Z
+  'SNYK-JS-GOT-2932019':
+    - '*':
+        reason: 'Waiting for issue to be fixed. See https://github.com/trufflesuite/truffle/issues/5704'
+        created: 2022-11-15T09:16:00.000Z
+  'SNYK-JS-WEB3-174533':
+    - '*':
+        reason: 'Waiting for issue to be fixed. See https://github.com/trufflesuite/truffle/issues/5704'
+        created: 2022-11-15T09:16:30.000Z
+  'SNYK-JS-WS-1296835':
+    - '*':
+        reason: 'Waiting for issue to be fixed. See https://github.com/trufflesuite/truffle/issues/5704'
+        created: 2022-11-15T09:17:00.000Z
+patch: {}
+exclude:
+  global: # foollowing are used for tests, therefore private keys are mocked
+    - matic-contracts/scripts/*.js
+    - matic-contracts/moonwalker-migrations/*.js

.solcover.js

@@ -0,0 +1,4 @@
+module.exports = {
+    configureYulOptimizer: true,
+    skipFiles: ["mocks", "test"],
+};

.solhint.json

@@ -0,0 +1,12 @@
+{
+  "extends": "solhint:recommended",
+  "plugins": [],
+  "rules": {
+    "code-complexity": ["error", 8],
+    "compiler-version": ["error", "^0.5.2"],
+    "func-visibility": ["error", { "ignoreConstructors": true }],
+    "max-line-length": ["warn", 120],
+    "not-rely-on-time": "off",
+    "reason-string": ["warn", { "maxLength": 64 }]
+  }
+}

.solhintignore.json

@@ -0,0 +1,3 @@
+# directories
+**/lib
+**/node_modules

SECURITY.md

@@ -0,0 +1,14 @@
+# Polygon Technology Security Information
+
+## Link to vulnerability disclosure details (Bug Bounty)
+- Websites and Applications: https://hackerone.com/polygon-technology
+- Smart Contracts: https://immunefi.com/bounty/polygon
+
+## Languages that our team speaks and understands.
+Preferred-Languages: en
+
+## Security-related job openings at Polygon.
+https://polygon.technology/careers
+
+## Polygon security contact details
+security@polygon.technology

migrations/2_genesis_contracts_deploy.js

@@ -39,20 +39,18 @@ const libDeps = [
 module.exports = async function (deployer, network) {
     deployer.then(async () => {
         console.log('linking libs...')
-        await bluebird.map(libDeps, async e => {
+        for (let e of libDeps) {
             await deployer.deploy(e.lib)
             deployer.link(e.lib, e.contracts)
-        })
+        }
 
         console.log("Deploying contracts...")
-        await Promise.all([
-            deployer.deploy(BorValidatorSet),
-            deployer.deploy(TestBorValidatorSet),
-            deployer.deploy(StateReciever),
-            deployer.deploy(TestStateReceiver),
-            deployer.deploy(System),
-            deployer.deploy(ValidatorVerifier),
-            deployer.deploy(TestCommitState)
-        ])
+        await deployer.deploy(BorValidatorSet)
+        await deployer.deploy(TestBorValidatorSet)
+        await deployer.deploy(StateReciever)
+        await deployer.deploy(TestStateReceiver)
+        await deployer.deploy(System)
+        await deployer.deploy(ValidatorVerifier)
+        await deployer.deploy(TestCommitState)
     })
 }