From a386ba531489ce5a569aba864c0c508eb6a42bc2 Mon Sep 17 00:00:00 2001 From: Elias Rohrer Date: Thu, 1 Feb 2024 09:57:05 +0100 Subject: [PATCH 1/4] Disable `lightning-transaction-sync` integration tests on Windows .. as the `electrsd` crate doesn't support it. While we previously did so in our CI script, we now also `cfg`-gate the tests and dependencies for easier handling. --- lightning-transaction-sync/Cargo.toml | 4 ++-- lightning-transaction-sync/tests/integration_tests.rs | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lightning-transaction-sync/Cargo.toml b/lightning-transaction-sync/Cargo.toml index 26a82809e06..4118d3012ef 100644 --- a/lightning-transaction-sync/Cargo.toml +++ b/lightning-transaction-sync/Cargo.toml @@ -34,8 +34,8 @@ electrum-client = { version = "0.18.0", optional = true } lightning = { version = "0.0.121", path = "../lightning", default-features = false, features = ["std", "_test_utils"] } tokio = { version = "1.35.0", features = ["full"] } -[target.'cfg(not(no_download))'.dev-dependencies] +[target.'cfg(all(not(target_os = "windows"), not(no_download)))'.dev-dependencies] electrsd = { version = "0.26.0", default-features = false, features = ["legacy", "esplora_a33e97e1", "bitcoind_25_0"] } -[target.'cfg(no_download)'.dev-dependencies] +[target.'cfg(all(not(target_os = "windows"), no_download))'.dev-dependencies] electrsd = { version = "0.26.0", default-features = false, features = ["legacy"] } diff --git a/lightning-transaction-sync/tests/integration_tests.rs b/lightning-transaction-sync/tests/integration_tests.rs index 8aadf9a2ed1..48044b236bf 100644 --- a/lightning-transaction-sync/tests/integration_tests.rs +++ b/lightning-transaction-sync/tests/integration_tests.rs @@ -1,4 +1,4 @@ -#![cfg(any(feature = "esplora-blocking", feature = "esplora-async", feature = "electrum"))] +#![cfg(all(not(target_os = "windows"), any(feature = "esplora-blocking", feature = "esplora-async", feature = "electrum")))] #[cfg(any(feature = "esplora-blocking", feature = "esplora-async"))] use lightning_transaction_sync::EsploraSyncClient; From 9ac42ed39415d8f8ab54285544c154e4f55ac7d2 Mon Sep 17 00:00:00 2001 From: Elias Rohrer Date: Thu, 1 Feb 2024 09:31:06 +0100 Subject: [PATCH 2/4] Move `lightning-transaction-sync` to main workspace .. so it's actually included in the audit. --- Cargo.toml | 2 +- ci/ci-tests.sh | 29 ++++++++++++++--------------- 2 files changed, 15 insertions(+), 16 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index a12f6ff9ff3..ddc82cd5d45 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -10,10 +10,10 @@ members = [ "lightning-background-processor", "lightning-rapid-gossip-sync", "lightning-custom-message", + "lightning-transaction-sync", ] exclude = [ - "lightning-transaction-sync", "no-std-check", "msrv-no-dev-deps-check", "bench", diff --git a/ci/ci-tests.sh b/ci/ci-tests.sh index 3eccc48798d..8b3ece5b575 100755 --- a/ci/ci-tests.sh +++ b/ci/ci-tests.sh @@ -63,8 +63,14 @@ PIN_RELEASE_DEPS # pin the release dependencies in our main workspace # The addr2line v0.21 crate (a dependency of `backtrace` starting with 0.3.69) relies on rustc 1.65 [ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p backtrace --precise "0.3.68" --verbose +# Starting with version 0.5.9 (there is no .6-.8), the `home` crate has an MSRV of rustc 1.70.0. +[ "$RUSTC_MINOR_VERSION" -lt 70 ] && cargo update -p home --precise "0.5.5" --verbose + export RUST_BACKTRACE=1 +# Build `lightning-transaction-sync` in no_download mode. +export RUSTFLAGS="$RUSTFLAGS --cfg no_download" + echo -e "\n\nBuilding and testing all workspace crates..." cargo test --verbose --color always cargo check --verbose --color always @@ -84,25 +90,18 @@ popd if [[ "$HOST_PLATFORM" != *windows* ]]; then echo -e "\n\nBuilding and testing Transaction Sync Clients with features" pushd lightning-transaction-sync - # reqwest 0.11.21 had a regression that broke its 1.63.0 MSRV [ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p reqwest --precise "0.11.20" --verbose - # Starting with version 1.10.0, the `regex` crate has an MSRV of rustc 1.65.0. - [ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p regex --precise "1.9.6" --verbose - # Starting with version 0.5.9 (there is no .6-.8), the `home` crate has an MSRV of rustc 1.70.0. - [ "$RUSTC_MINOR_VERSION" -lt 70 ] && cargo update -p home --precise "0.5.5" --verbose - DOWNLOAD_ELECTRS_AND_BITCOIND - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features esplora-blocking - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features esplora-blocking - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features esplora-async - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features esplora-async - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features esplora-async-https - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features esplora-async-https - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo test --verbose --color always --features electrum - RUSTFLAGS="$RUSTFLAGS --cfg no_download" cargo check --verbose --color always --features electrum - + cargo test --verbose --color always --features esplora-blocking + cargo check --verbose --color always --features esplora-blocking + cargo test --verbose --color always --features esplora-async + cargo check --verbose --color always --features esplora-async + cargo test --verbose --color always --features esplora-async-https + cargo check --verbose --color always --features esplora-async-https + cargo test --verbose --color always --features electrum + cargo check --verbose --color always --features electrum popd fi From 7299fe62c3f75b25aac8e3453f3506b7d140ea83 Mon Sep 17 00:00:00 2001 From: Elias Rohrer Date: Thu, 1 Feb 2024 09:41:01 +0100 Subject: [PATCH 3/4] Drop `reqwest` pin .. since a version with fixed MSRV was released by now. --- ci/ci-tests.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ci/ci-tests.sh b/ci/ci-tests.sh index 8b3ece5b575..baec6910130 100755 --- a/ci/ci-tests.sh +++ b/ci/ci-tests.sh @@ -90,8 +90,7 @@ popd if [[ "$HOST_PLATFORM" != *windows* ]]; then echo -e "\n\nBuilding and testing Transaction Sync Clients with features" pushd lightning-transaction-sync - # reqwest 0.11.21 had a regression that broke its 1.63.0 MSRV - [ "$RUSTC_MINOR_VERSION" -lt 65 ] && cargo update -p reqwest --precise "0.11.20" --verbose + DOWNLOAD_ELECTRS_AND_BITCOIND cargo test --verbose --color always --features esplora-blocking From fd705c79195397240a95ff52fc2848004ac3a26d Mon Sep 17 00:00:00 2001 From: Elias Rohrer Date: Tue, 30 Jan 2024 12:41:05 +0100 Subject: [PATCH 4/4] Introduce CI workflow running `cargo audit` In order to continuously monitor our dependencies for security vulnerabilities, we introduce a new CI job that will use `cargo audit` to check for any known vulnerabilities. This job is run on a daily schedule. For each new advisory, a new issue will be created. --- .github/workflows/audit.yml | 17 +++++++++++++++++ README.md | 3 ++- 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/audit.yml diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml new file mode 100644 index 00000000000..e7e82ee41ee --- /dev/null +++ b/.github/workflows/audit.yml @@ -0,0 +1,17 @@ +name: Security Audit +on: + workflow_dispatch: + schedule: + - cron: '0 0 * * *' + +jobs: + audit: + runs-on: ubuntu-latest + permissions: + issues: write + checks: write + steps: + - uses: actions/checkout@v3 + - uses: rustsec/audit-check@v1.4.1 + with: + token: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index a4ab59b5383..f8de40f3193 100644 --- a/README.md +++ b/README.md @@ -4,8 +4,9 @@ Rust-Lightning [![Crate](https://img.shields.io/crates/v/lightning.svg?logo=rust)](https://crates.io/crates/lightning) [![Documentation](https://img.shields.io/static/v1?logo=read-the-docs&label=docs.rs&message=lightning&color=informational)](https://docs.rs/lightning/) [![Safety Dance](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/) +[![Security Audit](https://github.com/lightningdevkit/rust-lightning/actions/workflows/audit.yml/badge.svg)](https://github.com/lightningdevkit/rust-lightning/actions/workflows/audit.yml) -[LDK](https://lightningdevkit.org)/`rust-lightning` is a highly performant and flexible +[LDK](https://lightningdevkit.org)/`rust-lightning` is a highly performant and flexible implementation of the Lightning Network protocol. The primary crate, `lightning`, is runtime-agnostic. Data persistence, chain interactions,