Merge pull request #84 from lightsail-network/publish (B2CA-1730)

New Release

.clang-format

@@ -17,3 +17,4 @@ AllowShortFunctionsOnASingleLine: None
 BinPackArguments: false
 BinPackParameters: false
 ---
+

.clusterfuzzlite/Dockerfile

@@ -1,5 +1,16 @@
+FROM ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest AS LITE_BUILDER
+
+# Base image with clang toolchain
 FROM gcr.io/oss-fuzz-base/base-builder:v1
-RUN apt-get update && apt-get install -y make libssl-dev libbsd-dev
+
+RUN apt-get update && apt-get install -y libbsd-dev
+
+# Copy the project's source code.
 COPY . $SRC/app-stellar
+COPY --from=LITE_BUILDER /opt/ledger-secure-sdk $SRC/app-stellar/BOLOS_SDK
+
+# Working directory for build.sh
 WORKDIR $SRC/app-stellar
+
+# Copy build.sh into $SRC dir.
 COPY .clusterfuzzlite/build.sh $SRC/

.clusterfuzzlite/build.sh

@@ -3,7 +3,7 @@
 # build fuzzers
 
 pushd fuzz
-cmake -DCMAKE_C_COMPILER=clang -Bbuild -H.
+cmake -DBOLOS_SDK=../BOLOS_SDK -Bbuild -H.
 make -C build
 mv ./build/fuzz_tx $OUT/app-stellar-fuzz-tx
 popd

.clusterfuzzlite/project.yaml

@@ -1 +1 @@
-language: c++
+language: c++

.devcontainer/devcontainer.json

@@ -1,66 +1,30 @@
-// For format details, see https://aka.ms/vscode-remote/devcontainer.json or the definition README at
-// https://github.com/microsoft/vscode-dev-containers/tree/master/containers/ubuntu-18.04-git
+// For format details, see https://aka.ms/devcontainer.json.
 {
-  "name": "Ledger Dev",
-  "dockerFile": "Dockerfile",
-  "build": {
-    "args": {}
-  },
-  // https://code.visualstudio.com/remote/advancedcontainers/environment-variables
-  // BOLOS_SDK can be one of NANOS_SDK, NANOX_SDK and NANOSPLUS_SDK
-  "remoteEnv": {
-    "BOLOS_SDK": "${containerEnv:NANOS_SDK}",
-    "MNEMONIC": "other base behind follow wet put glad muscle unlock sell income october", // "${localEnv:MNEMONIC}"
-    "CTEST_OUTPUT_ON_FAILURE": "1",
-    "PIP_INDEX_URL": "https://mirrors.ustc.edu.cn/pypi/web/simple"
-  },
-  // The optional 'runArgs' property can be used to specify additional runtime arguments.
-  "runArgs": [
-    // Uncomment the line if you will use a ptrace-based debugger like C++, Go, and Rust.
-    "--cap-add=SYS_PTRACE",
-    "--security-opt",
-    "seccomp=unconfined"
-  ],
-  // Use 'settings' to set *default* container specific settings.json values on container create.
-  // You can edit these settings after create using File > Preferences > Settings > Remote.
-  "settings": {
-    "terminal.integrated.profiles.linux": {
-      "bash": {
-        "path": "/bin/bash"
-      },
-      "fish": {
-        "path": "/bin/fish"
-      }
-    },
-    "terminal.integrated.defaultProfile.linux": "fish"
-  },
-  // Use 'forwardPorts' to make a list of ports inside the container available locally.
-  // "forwardPorts": [3000],
-  // Use 'portsAttributes' to set default properties for specific forwarded ports. More info: https://code.visualstudio.com/docs/remote/devcontainerjson-reference.
-  "portsAttributes": {
-    "5000": {
-      "label": "Speculos Restful API",
-      "onAutoForward": "notify"
-    },
-    "9999": {
-      "label": "Speculos APDU Server TCP port",
-      "onAutoForward": "silent"
-    },
-  },
-  // Use 'otherPortsAttributes' to configure any ports that aren't configured using 'portsAttributes'.
-  "otherPortsAttributes": {
-    "onAutoForward": "silent"
-  },
-  // Uncomment the next line to run commands after the container is created.
-  // "postCreateCommand": "",
-  // Add the IDs of extensions you want installed when the container is created in the array below.
-  "extensions": [
-    "ms-vscode.cpptools-extension-pack",
-    "spmeesseman.vscode-taskexplorer",
-    "webfreak.debug"
-  ],
-  // Comment out to connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
-  // On Linux, this will prevent new files getting created as root, but you may need to update the USER_UID
-  // and USER_GID in .devcontainer/Dockerfile to match your user if not 1000.
-  "remoteUser": "ledgerdev"
+	"name": "ledgerdev",
+	"image": "ghcr.io/lightsail-network/ledger-devcontainer:latest",
+	// https://code.visualstudio.com/remote/advancedcontainers/environment-variables
+	// BOLOS_SDK can be one of NANOS_SDK, NANOSP_SDK, NANOX_SDK, STAX_SDK and FLEX_SDK
+	"remoteEnv": {
+		"BOLOS_SDK": "${containerEnv:NANOS_SDK}",
+		"MNEMONIC": "${localEnv:MNEMONIC}" // you can set this in your local environment to avoid typing it in every time
+	},
+	"forwardPorts": [
+		9999 // APDU port
+	],
+	"appPort": 5000,
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"ms-vscode.cpptools-extension-pack"
+			],
+			"settings": {
+				"terminal.integrated.defaultProfile.linux": "fish",
+				"terminal.integrated.shell.linux": {
+					"fish": {
+						"path": "/usr/bin/fish"
+					}
+				}
+			}
+		}
+	}
 }

.github/workflows/cflite_batch.yml

@@ -1,7 +1,8 @@
 name: ClusterFuzzLite batch fuzzing
 on:
+  workflow_dispatch:
   schedule:
-    - cron: '1 * * * 0' # Every sunday 
+    - cron: "0 8 * * 1" # At 08:00 on Monday.
 permissions: read-all
 jobs:
   BatchFuzzing:
@@ -11,22 +12,22 @@ jobs:
       matrix:
         sanitizer: [address, undefined, memory]
     steps:
-    - name: Build Fuzzers (${{ matrix.sanitizer }})
-      id: build
-      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
-      with:
-        language: c++
-        sanitizer: ${{ matrix.sanitizer }}
-    - name: Run Fuzzers (${{ matrix.sanitizer }})
-      id: run
-      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
-      with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        fuzz-seconds: 3600 # 1 hour
-        mode: 'batch'
-        sanitizer: ${{ matrix.sanitizer }}
-        # Optional but recommended: For storing certain artifacts from fuzzing.
-        # See later section on "Git repo for storage".
-        #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
-        #storage-repo-branch: main   # Optional. Defaults to "main"
-        #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+      - name: Build Fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        with:
+          language: c++
+          sanitizer: ${{ matrix.sanitizer }}
+      - name: Run Fuzzers (${{ matrix.sanitizer }})
+        id: run
+        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 3600 # 1 hour
+          mode: "batch"
+          sanitizer: ${{ matrix.sanitizer }}
+          # Optional but recommended: For storing certain artifacts from fuzzing.
+          # See later section on "Git repo for storage".
+          #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
+          #storage-repo-branch: main   # Optional. Defaults to "main"
+          #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".

.github/workflows/cflite_pr.yml

@@ -2,7 +2,7 @@ name: ClusterFuzzLite PR fuzzing
 on:
   pull_request:
     paths:
-      - '**'
+      - "**"
 permissions: read-all
 jobs:
   PR:
@@ -15,30 +15,30 @@ jobs:
       matrix:
         sanitizer: [address, undefined, memory]
     steps:
-    - name: Build Fuzzers (${{ matrix.sanitizer }})
-      id: build
-      uses: google/clusterfuzzlite/actions/build_fuzzers@v1
-      with:
-        language: c++
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        sanitizer: ${{ matrix.sanitizer }}
-        # Optional but recommended: used to only run fuzzers that are affected
-        # by the PR.
-        # See later section on "Git repo for storage".
-        #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
-        #storage-repo-branch: main   # Optional. Defaults to "main"
-        #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
-    - name: Run Fuzzers (${{ matrix.sanitizer }})
-      id: run
-      uses: google/clusterfuzzlite/actions/run_fuzzers@v1
-      with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        fuzz-seconds: 600 # 10 minutes
-        mode: 'code-change'
-        sanitizer: ${{ matrix.sanitizer }}
-        # Optional but recommended: used to download the corpus produced by
-        # batch fuzzing.
-        # See later section on "Git repo for storage".
-        #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
-        #storage-repo-branch: main   # Optional. Defaults to "main"
-        #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+      - name: Build Fuzzers (${{ matrix.sanitizer }})
+        id: build
+        uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+        with:
+          language: c++
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          sanitizer: ${{ matrix.sanitizer }}
+          # Optional but recommended: used to only run fuzzers that are affected
+          # by the PR.
+          # See later section on "Git repo for storage".
+          #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
+          #storage-repo-branch: main   # Optional. Defaults to "main"
+          #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".
+      - name: Run Fuzzers (${{ matrix.sanitizer }})
+        id: run
+        uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          fuzz-seconds: 600 # 10 minutes
+          mode: "code-change"
+          sanitizer: ${{ matrix.sanitizer }}
+          # Optional but recommended: used to download the corpus produced by
+          # batch fuzzing.
+          # See later section on "Git repo for storage".
+          #storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/LedgerHQ/fuzzers-corpus.git
+          #storage-repo-branch: main   # Optional. Defaults to "main"
+          #storage-repo-branch-coverage: gh-pages  # Optional. Defaults to "gh-pages".

.github/workflows/ci-workflow.yml

@@ -4,12 +4,11 @@ on:
   workflow_dispatch:
   push:
     branches:
-    - master
-    - develop
+      - master
+      - develop
   pull_request:
 
 jobs:
-
   build_application:
     name: Build application
     uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_build.yml@v1
@@ -33,7 +32,7 @@ jobs:
 
       - name: Build unit tests
         run: |
-          make tests-unit
+          CTEST_OUTPUT_ON_FAILURE=1 make tests-unit
 
       - name: Generate code coverage
         run: |
@@ -55,7 +54,7 @@ jobs:
           files: ./tests_unit/coverage.info
           flags: unittests
           name: codecov-app-stellar
-          fail_ci_if_error: true
+          fail_ci_if_error: false
           verbose: true
 
   e2e_tests:
@@ -72,9 +71,9 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Install node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: "16"
+          node-version: "20"
 
       - name: Build common js
         run: cd tests_common_js && npm install && npm run build
@@ -83,11 +82,14 @@ jobs:
         run: cd tests_zemu && npm install
 
       - name: Download app binaries
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: compiled_app_binaries
           path: build
 
+      - name: Copy plugin
+        run: cp -r tests_zemu/plugin_elfs/* build/
+
       - name: Run zemu tests
         run: cd tests_zemu && npm run test -- -t "\(${{ matrix.device }}\)"
 

.github/workflows/codeql_checks.yml

@@ -0,0 +1,40 @@
+name: "CodeQL"
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - master
+      - main
+      - develop
+  pull_request:
+
+jobs:
+  analyse:
+    name: Analyse
+    strategy:
+      matrix:
+        sdk: ["$NANOS_SDK", "$NANOX_SDK", "$NANOSP_SDK"]
+        #'cpp' covers C and C++
+        language: ["cpp"]
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest
+
+    steps:
+      - name: Clone
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      # CodeQL will create the database during the compilation
+      - name: Build
+        run: |
+          make BOLOS_SDK=${{ matrix.sdk }}
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/lint-workflow.yml

@@ -4,8 +4,8 @@ on:
   workflow_dispatch:
   push:
     branches:
-    - master
-    - develop
+      - master
+      - develop
   pull_request:
 
 jobs:
@@ -20,6 +20,6 @@ jobs:
       - name: Lint
         uses: DoozyX/clang-format-lint-action@v0.13
         with:
-          source: 'src tests_unit'
-          extensions: 'h,c'
+          source: "src tests_unit"
+          extensions: "h,c"
           clangFormatVersion: 12

.github/workflows/swap-ci-workflow.yml

@@ -4,8 +4,8 @@ on:
   workflow_dispatch:
   push:
     branches:
-    - master
-    - develop
+      - master
+      - develop
   pull_request:
 
 jobs:
@@ -14,3 +14,4 @@ jobs:
     with:
       branch_for_stellar: ${{ github.ref }}
       test_filter: '"XLM or xlm or Stellar or stellar"'
+      repo_for_stellar: ${{ github.repository }}