Add cargo-audit action and update existing CI job to include Soteria (#19)

2022-01-05 13:01:12 +00:00 · 2022-01-05 13:01:12 +00:00 · 007dc64d3d
parent 18edcd602e
commit 007dc64d3d
3 changed files with 112 additions and 4 deletions
--- a/.cargo/audit.toml
+++ b/.cargo/audit.toml
@ -0,0 +1,35 @@
+# All of the options which can be passed via CLI arguments can also be
+# permanently specified in this file.
+
+# RUSTSEC-2020-0071 and RUSTSEC-2020-0159 are low severity vulnerable upstream Solana crates. Ignored for now.
+
+[advisories]
+ignore = ["RUSTSEC-2020-0071","RUSTSEC-2020-0159"] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+informational_warnings = ["unmaintained"] # warn for categories of informational advisories
+severity_threshold = "medium" # CVSS severity ("none", "low", "medium", "high", "critical")
+
+# Advisory Database Configuration
+[database]
+path = "~/.cargo/advisory-db" # Path where advisory git repo will be cloned
+url = "https://github.com/RustSec/advisory-db.git" # URL to git repo
+fetch = true # Perform a `git fetch` before auditing (default: true)
+stale = false # Allow stale advisory DB (i.e. no commits for 90 days, default: false)
+
+# Output Configuration
+[output]
+deny = [] # exit on error if unmaintained dependencies are found
+format = "terminal" # "terminal" (human readable report) or "json"
+quiet = false # Only print information on error
+show_tree = false # Show inverse dependency trees along with advisories (default: true)
+
+# Target Configuration
+[target]
+# arch = "x86_64" # Ignore advisories for CPU architectures other than this one
+# os = "linux" # Ignore advisories for operating systems other than this one
+
+[packages]
+source = "all" # "all", "public" or "local"
+
+[yanked]
+enabled = false # Warn for yanked crates in Cargo.lock (default: true)
+update_index = true # Auto-update the crates.io index (default: true)
--- a/.github/workflows/ci-cargo-audit.yml
+++ b/.github/workflows/ci-cargo-audit.yml
@ -0,0 +1,46 @@
+# CI job for scanning Cargo dependencies for vulnerabilities and report/fail job based on criticality.
+# Critically vulnerable dependencies with fix available will mark the run as failed (X)
+name: Rust Cargo Audit
+
+on:
+  push:
+    branches: master
+  pull_request:
+    branches: master
+
+  # Allowing manual runs with ability to choose branch
+  workflow_dispatch:
+
+# Optimisation option by targeting direct paths to only scan when there are changes to dependencies in the push/PR
+#  push:
+#    paths: 
+#      - 'Cargo.toml'
+#      - 'Cargo.lock'
+#  pull_request:
+#    paths: 
+#      - 'Cargo.toml'
+#      - 'Cargo.lock'
+      
+# Example of running scheduled scans at 6AM UTC every Monday to regularly check for vulnerable dependencies
+#  schedule:
+#  - cron: '0 6 * * 1'
+  
+# Run the job
+jobs:
+  Cargo-audit:
+    name: Cargo Vulnerability Scanner
+    runs-on: ubuntu-latest
+    steps:
+      # Check out GitHub repo
+      - uses: actions/checkout@v2
+      
+      # Install cargo audit
+      - name: Install Cargo Audit
+        uses: actions-rs/install@v0.1
+        with:
+          crate: cargo-audit
+          version: latest
+          
+      # Run cargo audit using args from .cargo/audit.toml (ignores, etc.)
+      - name: Run Cargo Audit
+        run: cargo audit -c always
--- a/.github/workflows/ci-lint-test.yml
+++ b/.github/workflows/ci-lint-test.yml
@ -1,5 +1,4 @@
-name: CI
-
+name: Lint, test & scan
 on:
  push:
    branches: [master, v*.*]
@ -17,6 +16,7 @@ defaults:

 jobs:
  lint:
+    name: Install and run linters
    runs-on: ubuntu-latest

    steps:
@ -38,6 +38,7 @@ jobs:
        run: cargo clippy -- --deny=warnings --allow=clippy::style --allow=clippy::complexity

  tests:
+    name: Install and run tests
    runs-on: ubuntu-latest

    steps:
@ -52,7 +53,7 @@ jobs:
          toolchain: ${{ env.RUST_TOOLCHAIN }}
      - name: Cache dependencies
        uses: Swatinem/rust-cache@v1
-
+        
      # Install Solana
      - name: Cache Solana binaries
        uses: actions/cache@v2
@ -68,5 +69,31 @@ jobs:
          echo "Generating keypair..."
          solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent

-      - name: Run tests
+      - name: Run bpf tests
        run: cargo test-bpf
+
+        # Create a cache for Soteria
+      - name: Cache Soteria
+        id: cache-soteria
+        uses: actions/cache@v2
+        with:
+          path: ~/.cache/soteria
+          key: ${{ runner.os }}-soteria
+          
+        # Install Soteria  
+      - name: Install Soteria
+        run: |
+          echo "Downloading Soteria..."
+          sh -c "$(curl -k https://supercompiler.xyz/install)"
+          export PATH=$PWD/soteria-linux-develop/bin/:$PATH
+          echo "$PWD/soteria-linux-develop/bin" >> $GITHUB_PATH
+          echo "Updating Rust..."
+          rustup update
+          echo "Soteria ready!"
+          
+      # Run Soteria tests against Cargo.toml for this repo (root folder)
+      - name: Run Soteria
+        run: |
+          echo "Running Soteria..."
+          soteria -analyzeAll .
+          echo "Soteria finished!"