From bd79473e1d76bec40b8571ddff172aa1bc30b0a2 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 11:21:40 -0600 Subject: [PATCH 01/30] chore: Test PR for Snyk Integration Signed-off-by: Roger Barker --- .github/workflows/build.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 01b610238..df1ce0f57 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: PR Checks +INTENTIONALLY BREAKING + on: push: branches: From 07ece708c4fb85b8d616b155dcc963083cfd39b1 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 11:49:28 -0600 Subject: [PATCH 02/30] Update to include Snyk workflows Signed-off-by: Roger Barker --- .github/workflows/build.yml | 86 +++++++++++++++++++++++++++++- .github/workflows/snyk-monitor.yml | 58 ++++++++++++++++++++ 2 files changed, 142 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/snyk-monitor.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index df1ce0f57..64fc87eaa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,8 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 name: PR Checks -INTENTIONALLY BREAKING - on: push: branches: @@ -27,6 +25,7 @@ env: LC_ALL: C.UTF-8 GRADLE_CACHE_USERNAME: ${{ secrets.GRADLE_CACHE_USERNAME }} GRADLE_CACHE_PASSWORD: ${{ secrets.GRADLE_CACHE_PASSWORD }} + CG_EXEC: ionice -c 2 -n 2 nice -n 19 jobs: build: @@ -53,8 +52,91 @@ jobs: cache-read-only: false - name: Build SDK & Javadoc + id: gradle-build run: ./gradlew assemble + - name: Setup Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + if: >- + ${{ + steps.gradle-build.conclusion == 'success' && + ( + github.event.pull_request.head.repo.full_name == github.repository || + github.event_name == 'push' + ) && + !cancelled() + }} + run: ${CG_EXEC} npm install -g snyk snyk-to-html @wcj/html-to-markdown-cli + + - name: Snyk Scan + id: snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + if: >- + ${{ + steps.gradle-build.conclusion == 'success' && + ( + github.event.pull_request.head.repo.full_name == github.repository || + github.event_name == 'push' + ) && + !cancelled() + }} + run: ${CG_EXEC} snyk test --all-sub-projects --severity-threshold=high --policy-path=.snyk --json-file-output=snyk-test.json --org=hiero-client-sdks + + - name: Snyk Code + id: snyk-code + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + if: >- + ${{ + steps.gradle-build.conclusion == 'success' && + ( + github.event.pull_request.head.repo.full_name == github.repository || + github.event_name == 'push' + ) && + !cancelled() + }} + run: ${CG_EXEC} snyk code test --severity-threshold=high --json-file-output=snyk-code.json --org=hiero-client-sdks + + - name: Publish Snyk Results + if: >- + ${{ + steps.gradle-build.conclusion == 'success' && + ( + github.event.pull_request.head.repo.full_name == github.repository || + github.event_name == 'push' + ) && + !cancelled() + }} + run: | + if [[ -f "snyk-test.json" && -n "$(cat snyk-test.json | tr -d '[:space:]')" ]]; then + snyk-to-html -i snyk-test.json -o snyk-test.html --summary + html-to-markdown snyk-test.html -o snyk + cat snyk/snyk-test.html.md >> $GITHUB_STEP_SUMMARY + fi + + if [[ -f "snyk-code.json" && -n "$(cat snyk-code.json | tr -d '[:space:]')" ]]; then + snyk-to-html -i snyk-code.json -o snyk-code.html --summary + html-to-markdown snyk-code.html -o snyk + cat snyk/snyk-code.html.md >> $GITHUB_STEP_SUMMARY + fi + + - name: Check Snyk Files + if: ${{ always() }} + run: | + echo "::group::Snyk File List" + ls -lah snyk* || true + echo "::endgroup::" + + echo "::group::Snyk Test Contents" + cat snyk-test.json || true + echo "::endgroup::" + + echo "::group::Snyk Code Contents" + cat snyk-code.json || true + echo "::endgroup::" + test: name: Unit and Integration Tests runs-on: hiero-client-sdk-linux-medium diff --git a/.github/workflows/snyk-monitor.yml b/.github/workflows/snyk-monitor.yml new file mode 100644 index 000000000..60984f745 --- /dev/null +++ b/.github/workflows/snyk-monitor.yml @@ -0,0 +1,58 @@ +# SPDX-License-Identifier: Apache-2.0 +name: "Snyk Monitor" + +on: + push: + branches: + - main + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + snyk: + name: Snyk Monitor + runs-on: hiero-client-sdk-linux-medium + steps: + - name: Harden Runner + uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4 + with: + egress-policy: audit + + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Setup Java + uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 + with: + distribution: temurin + java-version: 21 + + - name: Setup Gradle + uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0 + with: + gradle-version: wrapper + + - name: Compile + run: ./gradlew assemble + + - name: Disable Gradle Configuration Cache + run: sed -i 's/^org.gradle.configuration-cache=.*$/org.gradle.configuration-cache=false/' gradle.properties + + - name: Setup NodeJS + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + with: + node-version: 20 + + - name: Setup Snyk + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: npm install -g snyk + + - name: Run Snyk Monitor + continue-on-error: true + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + run: snyk monitor --all-sub-projects --policy-path=.snyk --trust-policies From 80787234271a8ee93a8912f49ba60e0ddb4e907a Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 11:54:46 -0600 Subject: [PATCH 03/30] Set up node Signed-off-by: Roger Barker --- .github/workflows/build.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 64fc87eaa..abba61637 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,6 +40,11 @@ jobs: - name: Checkout Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Setup NodeJS + uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 + with: + node-version: 20 + - name: Setup Java uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: From 837fd1b5797691197f061f625623b7d622e01afe Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 14:11:45 -0600 Subject: [PATCH 04/30] Added .snyk file Signed-off-by: Roger Barker --- .snyk | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 000000000..87f71a11f --- /dev/null +++ b/.snyk @@ -0,0 +1,9 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: +patch: {} +exclude: + global: + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java \ No newline at end of file From e4dcea05b278349cb274a0515257e40c7ca57a2e Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 14:14:48 -0600 Subject: [PATCH 05/30] Add known ignore files Signed-off-by: Roger Barker --- .snyk | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index 87f71a11f..f1cf55447 100644 --- a/.snyk +++ b/.snyk @@ -6,4 +6,8 @@ patch: {} exclude: global: - >- - sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java \ No newline at end of file + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java \ No newline at end of file From df5b4092839edf846f23191b7184f56cbb58fac8 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 14:28:48 -0600 Subject: [PATCH 06/30] Update fetch-depth Signed-off-by: Roger Barker --- .github/workflows/build.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index abba61637..0cbd44c44 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -39,6 +39,8 @@ jobs: - name: Checkout Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: '0' - name: Setup NodeJS uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 @@ -102,7 +104,7 @@ jobs: ) && !cancelled() }} - run: ${CG_EXEC} snyk code test --severity-threshold=high --json-file-output=snyk-code.json --org=hiero-client-sdks + run: ${CG_EXEC} snyk code test --severity-threshold=high --json-file-output=snyk-code.json --org=hiero-client-sdks --policy-path=.snyk - name: Publish Snyk Results if: >- From 04b6cc2a3c979e054d323730ef80a3abd45fbd82 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:04:40 -0600 Subject: [PATCH 07/30] Remove exclusions on snyk Signed-off-by: Roger Barker --- .snyk | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.snyk b/.snyk index f1cf55447..a6aa14cf6 100644 --- a/.snyk +++ b/.snyk @@ -4,10 +4,4 @@ version: v1.25.0 ignore: patch: {} exclude: - global: - - >- - sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java - - >- - sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java - - >- - sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java \ No newline at end of file + global: \ No newline at end of file From f5919ccf17a786c38f048a28f306051ca1c8e3b6 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:05:49 -0600 Subject: [PATCH 08/30] Intentionally break snyk-monitor so i can do the workflow dispatch Signed-off-by: Roger Barker --- .github/workflows/snyk-monitor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/snyk-monitor.yml b/.github/workflows/snyk-monitor.yml index 60984f745..d8844c5d7 100644 --- a/.github/workflows/snyk-monitor.yml +++ b/.github/workflows/snyk-monitor.yml @@ -1,6 +1,8 @@ # SPDX-License-Identifier: Apache-2.0 name: "Snyk Monitor" +INTENTIONALLY BROKEN + on: push: branches: From ac06b8d05fcbd431724de89a0156b0fad90b68a2 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:06:38 -0600 Subject: [PATCH 09/30] fix snyk-monitor.yml Signed-off-by: Roger Barker --- .github/workflows/snyk-monitor.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/snyk-monitor.yml b/.github/workflows/snyk-monitor.yml index d8844c5d7..60984f745 100644 --- a/.github/workflows/snyk-monitor.yml +++ b/.github/workflows/snyk-monitor.yml @@ -1,8 +1,6 @@ # SPDX-License-Identifier: Apache-2.0 name: "Snyk Monitor" -INTENTIONALLY BROKEN - on: push: branches: From a567f88ae885677ec17c747bb1fd0c743ca4a7ba Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:16:49 -0600 Subject: [PATCH 10/30] Changed test flags on monitor and test Signed-off-by: Roger Barker --- .github/workflows/build.yml | 2 +- .github/workflows/snyk-monitor.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0cbd44c44..96f7c83b5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -89,7 +89,7 @@ jobs: ) && !cancelled() }} - run: ${CG_EXEC} snyk test --all-sub-projects --severity-threshold=high --policy-path=.snyk --json-file-output=snyk-test.json --org=hiero-client-sdks + run: ${CG_EXEC} snyk test --all-projects --severity-threshold=high --policy-path=.snyk --json-file-output=snyk-test.json --org=hiero-client-sdks - name: Snyk Code id: snyk-code diff --git a/.github/workflows/snyk-monitor.yml b/.github/workflows/snyk-monitor.yml index 60984f745..ee90953ad 100644 --- a/.github/workflows/snyk-monitor.yml +++ b/.github/workflows/snyk-monitor.yml @@ -55,4 +55,4 @@ jobs: continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} - run: snyk monitor --all-sub-projects --policy-path=.snyk --trust-policies + run: snyk monitor --all-projects --policy-path=.snyk --trust-policies From f755d6eaa536c4cb53323959b2758a9a4e51df15 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:30:17 -0600 Subject: [PATCH 11/30] Update .snyk Signed-off-by: Roger Barker --- .snyk | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index a6aa14cf6..26bda3c61 100644 --- a/.snyk +++ b/.snyk @@ -4,4 +4,8 @@ version: v1.25.0 ignore: patch: {} exclude: - global: \ No newline at end of file + global: + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java \ No newline at end of file From 7236216a9a46c873b7b46577aa8b1b537cda38d9 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:36:43 -0600 Subject: [PATCH 12/30] Update grpc val to 1.70.0 to fix snyk issues Signed-off-by: Roger Barker --- hiero-dependency-versions/build.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hiero-dependency-versions/build.gradle.kts b/hiero-dependency-versions/build.gradle.kts index 2bba192c7..58f4db008 100644 --- a/hiero-dependency-versions/build.gradle.kts +++ b/hiero-dependency-versions/build.gradle.kts @@ -9,7 +9,7 @@ plugins { group = "org.hiero" val bouncycastle = "1.80" -val grpc = "1.69.1" +val grpc = "1.70.0" val protobuf = "4.29.3" val slf4j = "2.0.16" From 31a3aa7dbfa639973a7eff1e319fa53a1eab1ef7 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 15:38:46 -0600 Subject: [PATCH 13/30] Remove excludes in .snyk Signed-off-by: Roger Barker --- .snyk | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.snyk b/.snyk index 26bda3c61..a6aa14cf6 100644 --- a/.snyk +++ b/.snyk @@ -4,8 +4,4 @@ version: v1.25.0 ignore: patch: {} exclude: - global: - - >- - sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java - - >- - sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java \ No newline at end of file + global: \ No newline at end of file From 6f2c1c73457b8f55c356ab312577c06a4f6b26f6 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 16:13:36 -0600 Subject: [PATCH 14/30] Update grpc version to 1.70.0 except for grpc-netty-shaded. Signed-off-by: Roger Barker --- .github/workflows/build.yml | 2 +- hiero-dependency-versions/build.gradle.kts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 96f7c83b5..24c88af5c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -40,7 +40,7 @@ jobs: - name: Checkout Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: - fetch-depth: '0' + fetch-depth: "0" - name: Setup NodeJS uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 diff --git a/hiero-dependency-versions/build.gradle.kts b/hiero-dependency-versions/build.gradle.kts index 58f4db008..930a0bb83 100644 --- a/hiero-dependency-versions/build.gradle.kts +++ b/hiero-dependency-versions/build.gradle.kts @@ -27,7 +27,7 @@ dependencies.constraints { api("io.grpc:grpc-protobuf:$grpc") { because("io.grpc.protobuf") } api("io.grpc:grpc-stub:$grpc") { because("io.grpc.stub") } api("io.grpc:grpc-netty:$grpc") - api("io.grpc:grpc-netty-shaded:$grpc") + api("io.grpc:grpc-netty-shaded:1.69.1") // this should be io.grpc:grpc-netty-shaded:$grpc however 1.70.0 isn't linking properly from MC api("io.grpc:grpc-okhttp:$grpc") api("org.bouncycastle:bcpkix-jdk18on:$bouncycastle") { because("org.bouncycastle.pkix") } api("org.bouncycastle:bcprov-jdk18on:$bouncycastle") { because("org.bouncycastle.provider") } From 053c569de4f8d3381c232b344b5c771a8b3fc14f Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Tue, 11 Feb 2025 16:18:30 -0600 Subject: [PATCH 15/30] Reset grpc val to 1.69.1 temporarily Signed-off-by: Roger Barker --- hiero-dependency-versions/build.gradle.kts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hiero-dependency-versions/build.gradle.kts b/hiero-dependency-versions/build.gradle.kts index 930a0bb83..2bba192c7 100644 --- a/hiero-dependency-versions/build.gradle.kts +++ b/hiero-dependency-versions/build.gradle.kts @@ -9,7 +9,7 @@ plugins { group = "org.hiero" val bouncycastle = "1.80" -val grpc = "1.70.0" +val grpc = "1.69.1" val protobuf = "4.29.3" val slf4j = "2.0.16" @@ -27,7 +27,7 @@ dependencies.constraints { api("io.grpc:grpc-protobuf:$grpc") { because("io.grpc.protobuf") } api("io.grpc:grpc-stub:$grpc") { because("io.grpc.stub") } api("io.grpc:grpc-netty:$grpc") - api("io.grpc:grpc-netty-shaded:1.69.1") // this should be io.grpc:grpc-netty-shaded:$grpc however 1.70.0 isn't linking properly from MC + api("io.grpc:grpc-netty-shaded:$grpc") api("io.grpc:grpc-okhttp:$grpc") api("org.bouncycastle:bcpkix-jdk18on:$bouncycastle") { because("org.bouncycastle.pkix") } api("org.bouncycastle:bcprov-jdk18on:$bouncycastle") { because("org.bouncycastle.provider") } From 6746c60ca9ae9308d552ebc815e9ff92833d1fe2 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 01:39:13 -0600 Subject: [PATCH 16/30] Update grpc to 1.70.0 Signed-off-by: Roger Barker --- hiero-dependency-versions/build.gradle.kts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/hiero-dependency-versions/build.gradle.kts b/hiero-dependency-versions/build.gradle.kts index 2bba192c7..9ec9e1af4 100644 --- a/hiero-dependency-versions/build.gradle.kts +++ b/hiero-dependency-versions/build.gradle.kts @@ -9,11 +9,11 @@ plugins { group = "org.hiero" val bouncycastle = "1.80" -val grpc = "1.69.1" +val grpc = "1.70.0" val protobuf = "4.29.3" val slf4j = "2.0.16" -dependencies { api(platform("org.springframework.boot:spring-boot-dependencies:3.4.2")) } +dependencies {api(platform("org.springframework.boot:spring-boot-dependencies:3.4.2"))} dependencies.constraints { api("com.esaulpaugh:headlong:12.3.3") { because("com.esaulpaugh.headlong") } From 10dc3f389cd29cd1285a066e60fca5e2c1387635 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 08:01:22 -0600 Subject: [PATCH 17/30] Update hiero-gradle-conventions to 0.3.3 Signed-off-by: Roger Barker --- hiero-dependency-versions/build.gradle.kts | 2 +- settings.gradle.kts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/hiero-dependency-versions/build.gradle.kts b/hiero-dependency-versions/build.gradle.kts index 9ec9e1af4..58f4db008 100644 --- a/hiero-dependency-versions/build.gradle.kts +++ b/hiero-dependency-versions/build.gradle.kts @@ -13,7 +13,7 @@ val grpc = "1.70.0" val protobuf = "4.29.3" val slf4j = "2.0.16" -dependencies {api(platform("org.springframework.boot:spring-boot-dependencies:3.4.2"))} +dependencies { api(platform("org.springframework.boot:spring-boot-dependencies:3.4.2")) } dependencies.constraints { api("com.esaulpaugh:headlong:12.3.3") { because("com.esaulpaugh.headlong") } diff --git a/settings.gradle.kts b/settings.gradle.kts index 6cbbcdcb3..f6acc7ff8 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -plugins { id("org.hiero.gradle.build") version "0.3.1" } +plugins { id("org.hiero.gradle.build") version "0.3.3" } rootProject.name = "hedera-sdk-java" From 142f5bc481671ba4e4945b42e47b5e77eed4415e Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 08:06:20 -0600 Subject: [PATCH 18/30] Update testModuleInfo in sdk/build.gradle.kts Signed-off-by: Roger Barker --- sdk/build.gradle.kts | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/sdk/build.gradle.kts b/sdk/build.gradle.kts index ced6ffc1c..e6002e640 100644 --- a/sdk/build.gradle.kts +++ b/sdk/build.gradle.kts @@ -30,8 +30,7 @@ testModuleInfo { requires("org.junit.jupiter.api") requires("org.junit.jupiter.params") requires("org.mockito") - - requiresStatic("java.annotation") + requires("java.annotation") runtimeOnly("io.grpc.netty.shaded") runtimeOnly("org.slf4j.simple") From cd8ad8f08336aebfa21b05c9dd786842b701d7b8 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 08:36:42 -0600 Subject: [PATCH 19/30] Add transitive dependency for io.netty Signed-off-by: Roger Barker --- hiero-dependency-versions/build.gradle.kts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hiero-dependency-versions/build.gradle.kts b/hiero-dependency-versions/build.gradle.kts index 58f4db008..53769e72d 100644 --- a/hiero-dependency-versions/build.gradle.kts +++ b/hiero-dependency-versions/build.gradle.kts @@ -13,7 +13,10 @@ val grpc = "1.70.0" val protobuf = "4.29.3" val slf4j = "2.0.16" -dependencies { api(platform("org.springframework.boot:spring-boot-dependencies:3.4.2")) } +dependencies { + api(platform("org.springframework.boot:spring-boot-dependencies:3.4.2")) + api(platform("io.netty:netty-bom:4.1.118.Final")) +} dependencies.constraints { api("com.esaulpaugh:headlong:12.3.3") { because("com.esaulpaugh.headlong") } From 1fde6bce13c9d40453db1a2d3c7c002f463dacdf Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 08:50:43 -0600 Subject: [PATCH 20/30] Add ignore for net-minidev Signed-off-by: Roger Barker --- .snyk | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.snyk b/.snyk index a6aa14cf6..f5062f479 100644 --- a/.snyk +++ b/.snyk @@ -2,6 +2,11 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: + SNYK-JAVA-NETMINIDEV-8689573: + - '*': + reason: No gRPC version with a fix is available + expires: 2025-06-30T00:00:00.000Z + created: 2025-02-12T14:49:55Z patch: {} exclude: global: \ No newline at end of file From 7af38c742fae1cb8f38294a679d159620e2efc8f Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 08:54:29 -0600 Subject: [PATCH 21/30] Adding reason for ignore Signed-off-by: Roger Barker --- .snyk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.snyk b/.snyk index f5062f479..9cfa27c85 100644 --- a/.snyk +++ b/.snyk @@ -4,7 +4,7 @@ version: v1.25.0 ignore: SNYK-JAVA-NETMINIDEV-8689573: - '*': - reason: No gRPC version with a fix is available + reason: No net-minidev version with a fix is available expires: 2025-06-30T00:00:00.000Z created: 2025-02-12T14:49:55Z patch: {} From 6d4e356f578e5ca64636131c606e1510a56c7023 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 08:55:28 -0600 Subject: [PATCH 22/30] Add non-commit files to .gitignore Signed-off-by: Roger Barker --- .gitignore | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.gitignore b/.gitignore index 22fa8f6f0..b292fe90f 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,6 @@ gradle.properties .DS_Store /examples/address-book.proto.bin local.properties + +.dccache +snyk-test.json \ No newline at end of file From e2d6ab42f3363f8405b92913d24f69311afe0699 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 14:26:28 -0600 Subject: [PATCH 23/30] Add comments to PrivateKeyECDSA and PrivateKeyED25519 source files Signed-off-by: Roger Barker --- .snyk | 6 +++++- .../main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java | 3 +++ .../java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java | 3 +++ 3 files changed, 11 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index 9cfa27c85..afed15d29 100644 --- a/.snyk +++ b/.snyk @@ -9,4 +9,8 @@ ignore: created: 2025-02-12T14:49:55Z patch: {} exclude: - global: \ No newline at end of file + global: + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java + - >- + sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java \ No newline at end of file diff --git a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java index 383386475..be2f89a6f 100644 --- a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java +++ b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java @@ -158,6 +158,7 @@ public PrivateKey derive(int index) { var ki = keyData.add(new BigInteger(1, il)).mod(ECDSA_SECP256K1_CURVE.getN()); + // The hardcoded array data is required for compatibility with 24-word recovery phrases return new PrivateKeyECDSA(ki, new KeyParameter(ir)); } @@ -169,6 +170,7 @@ public PrivateKey derive(int index) { */ public static PrivateKey fromSeed(byte[] seed) { var hmacSha512 = new HMac(new SHA512Digest()); + // The hardcoded string 'Bitcoin seed' is required for compatibility with 24-word recovery phrases hmacSha512.init(new KeyParameter("Bitcoin seed".getBytes(StandardCharsets.UTF_8))); hmacSha512.update(seed, 0, seed.length); @@ -185,6 +187,7 @@ public static PrivateKey fromSeed(byte[] seed) { * @return the new key */ static PrivateKeyECDSA derivableKeyECDSA(byte[] deriveData) { + // The hardcoded array data is required for compatibility with 24-word recovery phrases var keyData = java.util.Arrays.copyOfRange(deriveData, 0, 32); var chainCode = new KeyParameter(deriveData, 32, 32); diff --git a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java index 7a5544818..27a93fd3f 100644 --- a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java +++ b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java @@ -75,6 +75,8 @@ static PrivateKeyED25519 fromPrivateKeyInfoInternal(PrivateKeyInfo privateKeyInf */ public static PrivateKey fromSeed(byte[] seed) { var hmacSha512 = new HMac(new SHA512Digest()); + + // The hardcoded string 'ed25519 seed' is required for compatibility with 24-word recovery phrases hmacSha512.init(new KeyParameter("ed25519 seed".getBytes(StandardCharsets.UTF_8))); hmacSha512.update(seed, 0, seed.length); @@ -91,6 +93,7 @@ public static PrivateKey fromSeed(byte[] seed) { * @return the new key */ static PrivateKeyED25519 derivableKeyED25519(byte[] deriveData) { + // The hardcoded array data is required for compatibility with 24-word recovery phrases var keyData = Arrays.copyOfRange(deriveData, 0, 32); var chainCode = new KeyParameter(deriveData, 32, 32); From d3f5045c02a94477d4281ca3af2d8e8d37e0e01f Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 14:39:51 -0600 Subject: [PATCH 24/30] Update version of gradle used in examples Signed-off-by: Roger Barker --- examples/settings.gradle.kts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/settings.gradle.kts b/examples/settings.gradle.kts index 0780aa45e..2ded5afb6 100644 --- a/examples/settings.gradle.kts +++ b/examples/settings.gradle.kts @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -plugins { id("org.hiero.gradle.build") version "0.3.0" } +plugins { id("org.hiero.gradle.build") version "0.3.3" } @Suppress("UnstableApiUsage") dependencyResolutionManagement { repositories.mavenCentral() } From c6b26c5e54f99072ea2dca85010a1cee3843786a Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 15:23:12 -0600 Subject: [PATCH 25/30] Updating comment Signed-off-by: Roger Barker --- sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java | 1 - 1 file changed, 1 deletion(-) diff --git a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java index be2f89a6f..cbc841b4d 100644 --- a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java +++ b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java @@ -158,7 +158,6 @@ public PrivateKey derive(int index) { var ki = keyData.add(new BigInteger(1, il)).mod(ECDSA_SECP256K1_CURVE.getN()); - // The hardcoded array data is required for compatibility with 24-word recovery phrases return new PrivateKeyECDSA(ki, new KeyParameter(ir)); } From 6cae45662f4dbe50d2482f052683898ae6c1678d Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 16:26:53 -0600 Subject: [PATCH 26/30] Update the javadocs for derivableKey and fromSeed methods Signed-off-by: Roger Barker --- .../hedera/hashgraph/sdk/PrivateKeyECDSA.java | 25 ++++++++++++++++-- .../hashgraph/sdk/PrivateKeyED25519.java | 26 +++++++++++++++++-- 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java index cbc841b4d..477e2fa41 100644 --- a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java +++ b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyECDSA.java @@ -163,13 +163,22 @@ public PrivateKey derive(int index) { /** * Create an ECDSA key from seed. + * Implement the published algorithm as defined in BIP32 in order to derive the primary account key from the + * original (and never stored) master key. + * The original master key, which is a secure key generated according to the BIP39 specification, is input to this + * operation, and provides the base cryptographic seed material required to ensure the output is sufficiently random + * to maintain strong cryptographic assurances. + * The fromSeed() method must be provided with cryptographically secure material; otherwise, it will produce + * insecure output. + * + * @see BIP-32 Definition + * @see BIP-39 Definition * * @param seed the seed bytes * @return the new key */ public static PrivateKey fromSeed(byte[] seed) { var hmacSha512 = new HMac(new SHA512Digest()); - // The hardcoded string 'Bitcoin seed' is required for compatibility with 24-word recovery phrases hmacSha512.init(new KeyParameter("Bitcoin seed".getBytes(StandardCharsets.UTF_8))); hmacSha512.update(seed, 0, seed.length); @@ -181,12 +190,24 @@ public static PrivateKey fromSeed(byte[] seed) { /** * Create a derived key. + * The industry standard protocol for deriving an active ECDSA keypair from a BIP39 master key is described in + * BIP32. By using this deterministic mechanism to derive cryptographically secure keypairs from a single original + * secret, the user maintains secure access to their wallet, even if they lose access to a particular system or + * wallet local data store. + * The active keypair can always be re-derived from the original master key. + * The use of the fixed "key" values in this code is defined by this deterministic protocol, and this data is mixed, + * in a deterministic but cryptographically secure manner, with the original master key and/or other derived keys + * "higher" in the tree to produce a cryptographically secure derived key. + * This "Key Derivation Function" makes use of secure hash algorithm and a secure hash based message authentication + * code to produce an initialization vector, and then produces the actual key from a portion of that vector. + * + * @see BIP-32 Definition + * @see BIP-39 Definition * * @param deriveData data to derive the key * @return the new key */ static PrivateKeyECDSA derivableKeyECDSA(byte[] deriveData) { - // The hardcoded array data is required for compatibility with 24-word recovery phrases var keyData = java.util.Arrays.copyOfRange(deriveData, 0, 32); var chainCode = new KeyParameter(deriveData, 32, 32); diff --git a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java index 27a93fd3f..30c490a8a 100644 --- a/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java +++ b/sdk/src/main/java/com/hedera/hashgraph/sdk/PrivateKeyED25519.java @@ -69,6 +69,16 @@ static PrivateKeyED25519 fromPrivateKeyInfoInternal(PrivateKeyInfo privateKeyInf /** * Create an ED25519 key from seed. + * Implement the published algorithm as defined in BIP32 in order to derive the primary account key from the + * original (and never stored) master key. + * The original master key, which is a secure key generated according to the BIP39 specification, is input to this + * operation, and provides the base cryptographic seed material required to ensure the output is sufficiently random + * to maintain strong cryptographic assurances. + * The fromSeed() method must be provided with cryptographically secure material; otherwise, it will produce + * insecure output. + * + * @see BIP-32 Definition + * @see BIP-39 Definition * * @param seed the seed bytes * @return the new key @@ -76,7 +86,6 @@ static PrivateKeyED25519 fromPrivateKeyInfoInternal(PrivateKeyInfo privateKeyInf public static PrivateKey fromSeed(byte[] seed) { var hmacSha512 = new HMac(new SHA512Digest()); - // The hardcoded string 'ed25519 seed' is required for compatibility with 24-word recovery phrases hmacSha512.init(new KeyParameter("ed25519 seed".getBytes(StandardCharsets.UTF_8))); hmacSha512.update(seed, 0, seed.length); @@ -88,12 +97,25 @@ public static PrivateKey fromSeed(byte[] seed) { /** * Create a derived key. + * The industry standard protocol for deriving an active ed25519 keypair from a BIP39 master key is described in + * BIP32. By using this deterministic mechanism to derive cryptographically secure keypairs from a single original + * secret, the user maintains secure access to their wallet, even if they lose access to a particular system or + * wallet local data store. + * The active keypair can always be re-derived from the original master key. + * The use of the fixed "key" values in this code is defined by this deterministic protocol, and this data is mixed, + * in a deterministic but cryptographically secure manner, with the original master key and/or other derived keys + * "higher" in the tree to produce a cryptographically secure derived key. + * This "Key Derivation Function" makes use of secure hash algorithm and a secure hash + * based message authentication code to produce an initialization vector, and then + * produces the actual key from a portion of that vector. + * + * @see BIP-32 Definition + * @see BIP-39 Definition * * @param deriveData data to derive the key * @return the new key */ static PrivateKeyED25519 derivableKeyED25519(byte[] deriveData) { - // The hardcoded array data is required for compatibility with 24-word recovery phrases var keyData = Arrays.copyOfRange(deriveData, 0, 32); var chainCode = new KeyParameter(deriveData, 32, 32); From e60e1384883db84ea9171e03afed2f26e68a6599 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Wed, 12 Feb 2025 23:43:08 -0600 Subject: [PATCH 27/30] empty-commit Signed-off-by: Roger Barker From 91e91d6ea6bbdf9402071d34c5ce09d9d37913a4 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Thu, 13 Feb 2025 02:25:55 -0600 Subject: [PATCH 28/30] Push update to hiero-gradle-conventions per PR feedback Signed-off-by: Roger Barker --- examples/settings.gradle.kts | 2 +- settings.gradle.kts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/settings.gradle.kts b/examples/settings.gradle.kts index 2ded5afb6..cfe4004c2 100644 --- a/examples/settings.gradle.kts +++ b/examples/settings.gradle.kts @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -plugins { id("org.hiero.gradle.build") version "0.3.3" } +plugins { id("org.hiero.gradle.build") version "0.3.4" } @Suppress("UnstableApiUsage") dependencyResolutionManagement { repositories.mavenCentral() } diff --git a/settings.gradle.kts b/settings.gradle.kts index f6acc7ff8..0523c1d0f 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -1,5 +1,5 @@ // SPDX-License-Identifier: Apache-2.0 -plugins { id("org.hiero.gradle.build") version "0.3.3" } +plugins { id("org.hiero.gradle.build") version "0.3.4" } rootProject.name = "hedera-sdk-java" From df2139ebb3b8e74121cb81a4f5cc2640a4471fcf Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Thu, 13 Feb 2025 02:29:22 -0600 Subject: [PATCH 29/30] Update java version in snyk and set node version to 18 Signed-off-by: Roger Barker --- .github/workflows/build.yml | 2 +- .github/workflows/snyk-monitor.yml | 4 ++-- sdk/build.gradle.kts | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 24c88af5c..b2ab6fb6c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -45,7 +45,7 @@ jobs: - name: Setup NodeJS uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: - node-version: 20 + node-version: 18 - name: Setup Java uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 diff --git a/.github/workflows/snyk-monitor.yml b/.github/workflows/snyk-monitor.yml index ee90953ad..846bb06f0 100644 --- a/.github/workflows/snyk-monitor.yml +++ b/.github/workflows/snyk-monitor.yml @@ -28,7 +28,7 @@ jobs: uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0 with: distribution: temurin - java-version: 21 + java-version: "17.0.13" - name: Setup Gradle uses: gradle/actions/setup-gradle@94baf225fe0a508e581a564467443d0e2379123b # v4.3.0 @@ -44,7 +44,7 @@ jobs: - name: Setup NodeJS uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: - node-version: 20 + node-version: 18 - name: Setup Snyk env: diff --git a/sdk/build.gradle.kts b/sdk/build.gradle.kts index e6002e640..bd93e342b 100644 --- a/sdk/build.gradle.kts +++ b/sdk/build.gradle.kts @@ -30,7 +30,6 @@ testModuleInfo { requires("org.junit.jupiter.api") requires("org.junit.jupiter.params") requires("org.mockito") - requires("java.annotation") runtimeOnly("io.grpc.netty.shaded") runtimeOnly("org.slf4j.simple") From c1f4df77c9f15e1e0403befb16a261e55819b442 Mon Sep 17 00:00:00 2001 From: Roger Barker Date: Thu, 13 Feb 2025 02:35:33 -0600 Subject: [PATCH 30/30] Move disable gradle config cache so it occurs before gradle assemble Signed-off-by: Roger Barker --- .github/workflows/snyk-monitor.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/snyk-monitor.yml b/.github/workflows/snyk-monitor.yml index 846bb06f0..7a2f41ff6 100644 --- a/.github/workflows/snyk-monitor.yml +++ b/.github/workflows/snyk-monitor.yml @@ -35,12 +35,12 @@ jobs: with: gradle-version: wrapper - - name: Compile - run: ./gradlew assemble - - name: Disable Gradle Configuration Cache run: sed -i 's/^org.gradle.configuration-cache=.*$/org.gradle.configuration-cache=false/' gradle.properties + - name: Compile + run: ./gradlew assemble + - name: Setup NodeJS uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0 with: