search

semiotic-ai / timeline-aggregation-protocol

A fast, efficient and trust-minimized unidirectional micro-payments system.
Apache License 2.0
14 stars 3 forks source link

ci: Added Cargo Audit #62

Closed pablogmorales closed 1 year ago

pablogmorales commented 1 year ago

Added audit plugin security checks.

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

91.13%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   allocation_adapter_mock.rs50%100%50%50%14–16, 18–20
   allocation_adapter_test.rs100%100%100%100%
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_adapter_mock.rs97.65%100%93.33%98.57%5
   receipt_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
aasseman commented 1 year ago

Looks good. Could you have it print the output in the PR conversation?

ColePBryan commented 1 year ago

Would it be possible to have it comment any audit warning that are added by the PR or something similar to bring light to warning that show up? I wouldn't want it to fail on warnings, but it would be nice if it didn't just silently pass.

Edit: I just saw @aasseman comment which is basically the same thing... 😬

pablogmorales commented 1 year ago

Yup, that's what I am seeing in some cases, it passes even though there is a warning and fails only on errors.

On Wed, Apr 26, 2023 at 7:07 PM Bryan Cole @.***> wrote:

Would it be possible to have it comment any audit warning that are added by the PR or something similar to bring light to warning that show up? I wouldn't want it to fail on warnings, but it would be nice if it didn't just silently pass.

— Reply to this email directly, view it on GitHub https://github.com/semiotic-ai/timeline_aggregation_protocol/pull/62#issuecomment-1524102774, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6JDFOAPVYUGUCKJE4RIXLXDGMB7ANCNFSM6AAAAAAXM5Z2XY . You are receiving this because you authored the thread.Message ID: @.***>

pablogmorales commented 1 year ago

[image: image.png]

it just passed

On Wed, Apr 26, 2023 at 7:07 PM Bryan Cole @.***> wrote:

Would it be possible to have it comment any audit warning that are added by the PR or something similar to bring light to warning that show up? I wouldn't want it to fail on warnings, but it would be nice if it didn't just silently pass.

— Reply to this email directly, view it on GitHub https://github.com/semiotic-ai/timeline_aggregation_protocol/pull/62#issuecomment-1524102774, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6JDFOAPVYUGUCKJE4RIXLXDGMB7ANCNFSM6AAAAAAXM5Z2XY . You are receiving this because you authored the thread.Message ID: @.***>

pablogmorales commented 1 year ago

I think this is the key: -D, --deny exit with an error on: warnings (any), unmaintained, unsound,

[image: image.png]

On Wed, Apr 26, 2023 at 7:14 PM Pablo Morales @.***> wrote:

[image: image.png]

it just passed

On Wed, Apr 26, 2023 at 7:07 PM Bryan Cole @.***> wrote:

Would it be possible to have it comment any audit warning that are added by the PR or something similar to bring light to warning that show up? I wouldn't want it to fail on warnings, but it would be nice if it didn't just silently pass.

— Reply to this email directly, view it on GitHub < https://github.com/semiotic-ai/timeline_aggregation_protocol/pull/62#issuecomment-1524102774 , or unsubscribe < https://github.com/notifications/unsubscribe-auth/AE6JDFOAPVYUGUCKJE4RIXLXDGMB7ANCNFSM6AAAAAAXM5Z2XY

. You are receiving this because you authored the thread.Message ID: @.***>

— Reply to this email directly, view it on GitHub https://github.com/semiotic-ai/timeline_aggregation_protocol/pull/62#issuecomment-1524108089, or unsubscribe https://github.com/notifications/unsubscribe-auth/AE6JDFI3Q4R4PUODQ5O3XPLXDGM3RANCNFSM6AAAAAAXM5Z2XY . You are receiving this because you are subscribed to this thread.Message ID: @.*** com>

aasseman commented 1 year ago

@pablogmorales We don't want it to fail on warnings, but just print it in the PR discussion.

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
aasseman commented 1 year ago

It added the comment to the commit, can we have it in the PR instead?

github-actions[bot] commented 1 year ago 
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
  Loaded 543 security advisories (from /usr/local/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (379 crate dependencies)

Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 ├── criterion 0.4.0 │ └── tap_core 0.1.0 └── clap 3.2.24 ├── svm-rs 0.2.22 │ └── ethers-solc 2.0.3 │ ├── ethers-etherscan 2.0.3 │ │ ├── ethers-middleware 2.0.3 │ │ │ └── ethers 2.0.3 │ │ │ └── tap_core 0.1.0 │ │ ├── ethers-contract-abigen 2.0.3 │ │ │ ├── ethers-contract-derive 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ └── ethers-contract 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ ├── ethers-middleware 2.0.3 │ │ │ │ └── ethers 2.0.3 │ │ │ └── ethers-contract 2.0.3 │ │ └── ethers 2.0.3 │ └── ethers 2.0.3 └── criterion 0.4.0

warning: 1 allowed warning found

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
github-actions[bot] commented 1 year ago 
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
  Loaded 543 security advisories (from /usr/local/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (379 crate dependencies)

Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 ├── criterion 0.4.0 │ └── tap_core 0.1.0 └── clap 3.2.24 ├── svm-rs 0.2.22 │ └── ethers-solc 2.0.3 │ ├── ethers-etherscan 2.0.3 │ │ ├── ethers-middleware 2.0.3 │ │ │ └── ethers 2.0.3 │ │ │ └── tap_core 0.1.0 │ │ ├── ethers-contract-abigen 2.0.3 │ │ │ ├── ethers-contract-derive 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ └── ethers-contract 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ ├── ethers-middleware 2.0.3 │ │ │ │ └── ethers 2.0.3 │ │ │ └── ethers-contract 2.0.3 │ │ └── ethers 2.0.3 │ └── ethers 2.0.3 └── criterion 0.4.0

warning: 1 allowed warning found

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
github-actions[bot] commented 1 year ago 
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
  Loaded 543 security advisories (from /usr/local/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (379 crate dependencies)

Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 ├── criterion 0.4.0 │ └── tap_core 0.1.0 └── clap 3.2.25 ├── svm-rs 0.2.22 │ └── ethers-solc 2.0.3 │ ├── ethers-etherscan 2.0.3 │ │ ├── ethers-middleware 2.0.3 │ │ │ └── ethers 2.0.3 │ │ │ └── tap_core 0.1.0 │ │ ├── ethers-contract-abigen 2.0.3 │ │ │ ├── ethers-contract-derive 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ └── ethers-contract 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ ├── ethers-middleware 2.0.3 │ │ │ │ └── ethers 2.0.3 │ │ │ └── ethers-contract 2.0.3 │ │ └── ethers 2.0.3 │ └── ethers 2.0.3 └── criterion 0.4.0

warning: 1 allowed warning found

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
github-actions[bot] commented 1 year ago 
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
  Loaded 543 security advisories (from /usr/local/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (379 crate dependencies)

Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 ├── criterion 0.4.0 │ └── tap_core 0.1.0 └── clap 3.2.25 ├── svm-rs 0.2.22 │ └── ethers-solc 2.0.3 │ ├── ethers-etherscan 2.0.3 │ │ ├── ethers-middleware 2.0.3 │ │ │ └── ethers 2.0.3 │ │ │ └── tap_core 0.1.0 │ │ ├── ethers-contract-abigen 2.0.3 │ │ │ ├── ethers-contract-derive 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ └── ethers-contract 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ ├── ethers-middleware 2.0.3 │ │ │ │ └── ethers 2.0.3 │ │ │ └── ethers-contract 2.0.3 │ │ └── ethers 2.0.3 │ └── ethers 2.0.3 └── criterion 0.4.0

warning: 1 allowed warning found

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
github-actions[bot] commented 1 year ago 
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
  Loaded 543 security advisories (from /usr/local/cargo/advisory-db)
Updating crates.io index
Scanning Cargo.lock for vulnerabilities (379 crate dependencies)

Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 ├── criterion 0.4.0 │ └── tap_core 0.1.0 └── clap 3.2.25 ├── svm-rs 0.2.22 │ └── ethers-solc 2.0.3 │ ├── ethers-etherscan 2.0.3 │ │ ├── ethers-middleware 2.0.3 │ │ │ └── ethers 2.0.3 │ │ │ └── tap_core 0.1.0 │ │ ├── ethers-contract-abigen 2.0.3 │ │ │ ├── ethers-contract-derive 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ └── ethers-contract 2.0.3 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ ├── ethers-middleware 2.0.3 │ │ │ │ └── ethers 2.0.3 │ │ │ └── ethers-contract 2.0.3 │ │ └── ethers 2.0.3 │ └── ethers 2.0.3 └── criterion 0.4.0

warning: 1 allowed warning found

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

92.08%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_core/src
   eip_712_signed_message.rs64.10%100%44.44%70%41, 52
   lib.rs96.49%100%86.67%97.98%
   receipt_aggregate_voucher.rs81.58%100%57.14%87.10%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%25–26, 44, 50–52
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%7
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%49, 53–55
   receipt_checks_adapter_test.rs100%100%100%100%
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%7
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs75%100%57.14%82.35%
   receipt.rs67.65%100%55.56%72%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97
tkornuta-semiotic commented 1 year ago

hey @pablogmorales as discussed today:

Thanks!

github-actions[bot] commented 1 year ago

🤖 Cargo Audit Report 🤖`

Show Report *** Fetching advisory database from `https://github.com/RustSec/advisory-db.git` Loaded 543 security advisories (from /usr/local/cargo/advisory-db) Updating crates.io index Scanning Cargo.lock for vulnerabilities (435 crate dependencies) Crate: atty Version: 0.2.14 Warning: unsound Title: Potential unaligned read Date: 2021-07-04 ID: RUSTSEC-2021-0145 URL: https://rustsec.org/advisories/RUSTSEC-2021-0145 Dependency tree: atty 0.2.14 ├── criterion 0.4.0 │ └── tap_core 0.1.0 │ └── tap_aggregator 0.1.0 └── clap 3.2.25 ├── svm-rs 0.2.22 │ └── ethers-solc 2.0.4 │ ├── ethers-etherscan 2.0.4 │ │ ├── ethers-middleware 2.0.4 │ │ │ └── ethers 2.0.4 │ │ │ └── tap_core 0.1.0 │ │ ├── ethers-contract-abigen 2.0.4 │ │ │ ├── ethers-contract-derive 2.0.4 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ └── ethers-contract 2.0.4 │ │ │ │ ├── tap_core 0.1.0 │ │ │ │ ├── ethers-middleware 2.0.4 │ │ │ │ └── ethers 2.0.4 │ │ │ └── ethers-contract 2.0.4 │ │ └── ethers 2.0.4 │ └── ethers 2.0.4 └── criterion 0.4.0 warning: 1 allowed warning found ```

Pusher: @pablogmorales, Action: pull_request, Working Directory: `, Workflow:tests`

github-actions[bot] commented 1 year ago

Coverage after merging cargo-audit into main will be

82.31%

Coverage Report
FileStmtsBranchesFuncsLinesUncovered Lines
tap_aggregator/src
   aggregator.rs92.45%100%100%90.70%40–43, 53–56
   main.rs3.23%100%6.67%2.13%12, 16–19, 21, 25–28, 30–33, 35–38, 40–41, 44–46, 49–56, 59–64, 67–71, 73
   server.rs92.59%100%100%90.16%51–55, 75
tap_core/src
   eip_712_signed_message.rs83.78%100%80%85.19%56
   lib.rs87.50%100%87.50%87.50%17
   receipt_aggregate_voucher.rs92.11%100%85.71%93.55%21
tap_core/src/adapters/test
   collateral_adapter_mock.rs82.98%100%71.43%85%28–29, 47, 53–55
   collateral_adapter_test.rs100%100%100%100%
   rav_storage_adapter_mock.rs94.74%100%83.33%96.88%10
   rav_storage_adapter_test.rs100%100%100%100%
   receipt_checks_adapter_mock.rs87.18%100%83.33%87.88%52, 56–58
   receipt_checks_adapter_test.rs95.83%100%100%95%56
   receipt_storage_adapter_mock.rs97.37%100%92.31%98.41%10
   receipt_storage_adapter_test.rs100%100%100%100%
tap_core/src/tap_receipt
   mod.rs66.67%100%50%75%
   receipt.rs79.41%100%77.78%80%20, 44
   received_receipt.rs82.42%100%75.86%83.82%100–102, 109–111, 113–115, 160, 171, 185–187, 95–97