GitHub workflows update (#100)

* upgrade github workflows to sbf, and make the checks pass * second try to make checks pass * third try to fix checks, add draft sec3 audits * fix token-haver get_space() * recommit to run sec3 audit
solana-labs · Jul 31, 2024 · 1fa5a4a · 1fa5a4a
1 parent 475c13a
commit 1fa5a4a
Show file tree

Hide file tree

Showing 22 changed files with 98 additions and 118 deletions.
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -2,7 +2,12 @@
 # RUSTSEC-2020-0071 as dependency in RUSTSEC-2020-0159
 
 [advisories]
-ignore = ["RUSTSEC-2020-0159", "RUSTSEC-2020-0071"] # advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+ignore = [
+    "RUSTSEC-2020-0159",
+    "RUSTSEC-2020-0071",  # Potential segfault in the time crate
+    "RUSTSEC-2022-0093",
+    "RUSTSEC-2024-0344"   # curve25519-dalek
+]
 informational_warnings = ["unmaintained"] # warn for categories of informational advisories
 severity_threshold = "medium" # CVSS severity ("none", "low", "medium", "high", "critical")
 

diff --git a/.github/workflows/audit-sec3.yml b/.github/workflows/audit-sec3.yml
@@ -0,0 +1,27 @@
+name: Sec3 Pro Audit
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Check-out the repository
+        uses: actions/checkout@v2
+      - name: Sec3 Pro Audit
+        continue-on-error: false    # set to true if you don't want to fail jobs
+        uses: sec3dev/pro-action@v1
+        with:
+          sec3-token: ${{ secrets.SEC3_TOKEN }}
+          path: programs
+      - name: Upload Sarif Report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: sec3-report.sarif
diff --git a/.github/workflows/audit.yml b/.github/workflows/audit.yml
diff --git a/.github/workflows/lint-test.yaml b/.github/workflows/lint-test.yaml
@@ -33,7 +33,7 @@ jobs:
         run: cargo fmt -- --check
 
       - name: Run clippy
-        run: cargo clippy -- --deny=warnings
+        run: cargo clippy -- -A clippy::pedantic --deny=warnings
 
   test:
     name: Run Tests
@@ -71,13 +71,13 @@ jobs:
           echo Generating keypair...
           solana-keygen new -o "$HOME/.config/solana/id.json" --no-passphrase --silent
 
-      - name: Install BPF tools
-        # Note: as a workaround for cargo build-bpf issue run it and ignore errors to install the BPF tools
+      - name: Install SBF tools
+        # Note: as a workaround for cargo build-sbf issue run it and ignore errors to install the sbf tools
         # https://github.com/solana-labs/solana/issues/26583
-        run: cargo build-bpf || true
+        run: cargo build-sbf || true
 
       - name: Build dependencies
-        run: cargo +bpf build-bpf
+        run: cargo build-sbf
 
-      - name: Run bpf tests
-        run: cargo +bpf test-bpf
+      - name: Run sbf tests
+        run: cargo test-sbf
diff --git a/README.md b/README.md
@@ -1,2 +1 @@
-# governance-program-library
-
+# governance-program-library
diff --git a/programs/gateway/src/instructions/configure_registrar.rs b/programs/gateway/src/instructions/configure_registrar.rs
@@ -17,6 +17,7 @@ pub struct ConfigureRegistrar<'info> {
     /// Realm is validated in the instruction:
     /// - Realm is owned by the governance_program_id
     /// - realm_authority is realm.authority
+    ///
     /// CHECK: Owned by spl-governance instance specified in governance_program_id
     #[account(
         address = registrar.realm @ GatewayError::InvalidRealmForRegistrar,
@@ -50,7 +51,7 @@ pub fn configure_registrar(
     registrar.previous_voter_weight_plugin_program_id = use_previous_voter_weight_plugin
         .then(|| {
             remaining_accounts
-                .get(0)
+                .first()
                 .ok_or(GatewayError::MissingPreviousVoterWeightPlugin)
                 .map(|account| account.key)
         })

diff --git a/programs/gateway/src/instructions/create_registrar.rs b/programs/gateway/src/instructions/create_registrar.rs
@@ -31,6 +31,7 @@ pub struct CreateRegistrar<'info> {
     /// - Realm is owned by the governance_program_id
     /// - governing_token_mint must be the community or council mint
     /// - realm_authority is realm.authority
+    ///
     /// CHECK: Owned by spl-governance instance specified in governance_program_id
     #[account(owner = governance_program_id.key())]
     pub realm: UncheckedAccount<'info>,
@@ -76,7 +77,7 @@ pub fn create_registrar(
     registrar.previous_voter_weight_plugin_program_id = use_previous_voter_weight_plugin
         .then(|| {
             remaining_accounts
-                .get(0)
+                .first()
                 .ok_or(GatewayError::MissingPreviousVoterWeightPlugin)
                 .map(|account| account.key)
         })

diff --git a/programs/gateway/src/state/mod.rs b/programs/gateway/src/state/mod.rs
@@ -7,5 +7,4 @@ pub mod voter_weight_record;
 pub use generic_voter_weight::*;
 pub mod generic_voter_weight;
 
-pub use token_owner_record::*;
 pub mod token_owner_record;
diff --git a/programs/gateway/tests/fixtures/solana_gateway_program.so b/programs/gateway/tests/fixtures/solana_gateway_program.so
diff --git a/programs/nft-voter/src/instructions/cast_nft_vote.rs b/programs/nft-voter/src/instructions/cast_nft_vote.rs
@@ -50,8 +50,8 @@ pub struct CastNftVote<'info> {
 }
 
 /// Casts vote with the NFT
-pub fn cast_nft_vote<'a, 'b, 'c, 'info>(
-    ctx: Context<'a, 'b, 'c, 'info, CastNftVote<'info>>,
+pub fn cast_nft_vote<'info>(
+    ctx: Context<'_, '_, '_, 'info, CastNftVote<'info>>,
     proposal: Pubkey,
 ) -> Result<()> {
     let registrar = &ctx.accounts.registrar;
@@ -82,7 +82,7 @@ pub fn cast_nft_vote<'a, 'b, 'c, 'info>(
             &mut unique_nft_mints,
         )?;
 
-        voter_weight = voter_weight.checked_add(nft_vote_weight as u64).unwrap();
+        voter_weight = voter_weight.checked_add(nft_vote_weight).unwrap();
 
         // Create NFT vote record to ensure the same NFT hasn't been already used for voting
         // Note: The correct PDA of the NftVoteRecord is validated in create_and_serialize_account_signed

diff --git a/programs/nft-voter/src/instructions/create_registrar.rs b/programs/nft-voter/src/instructions/create_registrar.rs
@@ -31,6 +31,7 @@ pub struct CreateRegistrar<'info> {
     /// - Realm is owned by the governance_program_id
     /// - governing_token_mint must be the community or council mint
     /// - realm_authority is realm.authority
+    ///
     /// CHECK: Owned by spl-governance instance specified in governance_program_id
     #[account(owner = governance_program_id.key())]
     pub realm: UncheckedAccount<'info>,

diff --git a/programs/nft-voter/src/instructions/update_voter_weight_record.rs b/programs/nft-voter/src/instructions/update_voter_weight_record.rs
@@ -58,7 +58,7 @@ pub fn update_voter_weight_record(
             &mut unique_nft_mints,
         )?;
 
-        voter_weight = voter_weight.checked_add(nft_vote_weight as u64).unwrap();
+        voter_weight = voter_weight.checked_add(nft_vote_weight).unwrap();
     }
 
     let voter_weight_record = &mut ctx.accounts.voter_weight_record;

diff --git a/programs/nft-voter/src/lib.rs b/programs/nft-voter/src/lib.rs
@@ -54,8 +54,8 @@ pub mod nft_voter {
         instructions::configure_collection(ctx, weight, size)
     }
 
-    pub fn cast_nft_vote<'a, 'b, 'c, 'info>(
-        ctx: Context<'a, 'b, 'c, 'info, CastNftVote<'info>>,
+    pub fn cast_nft_vote<'info>(
+        ctx: Context<'_, '_, '_, 'info, CastNftVote<'info>>,
         proposal: Pubkey,
     ) -> Result<()> {
         log_version();

diff --git a/programs/nft-voter/src/tools/token_metadata.rs b/programs/nft-voter/src/tools/token_metadata.rs
@@ -9,7 +9,7 @@ pub fn get_token_metadata(account_info: &AccountInfo) -> Result<Metadata> {
     if *account_info.owner != mpl_token_metadata::ID {
         return Err(NftVoterError::InvalidAccountOwner.into());
     }
-    
+
     let metadata = Metadata::try_from(account_info)?;
 
     // I'm not sure if this is needed but try_from_slice_checked in from_account_info

diff --git a/programs/nft-voter/tests/program_test/token_metadata_test.rs b/programs/nft-voter/tests/program_test/token_metadata_test.rs
@@ -95,15 +95,16 @@ impl TokenMetadataTest {
         };
 
         // instruction accounts
-        let create_coll_metadata_ix_accounts = mpl_token_metadata::instructions::CreateMetadataAccountV3 {
-            metadata: coll_metadata_key,
-            mint: coll_mint_cookie.address,
-            mint_authority: coll_mint_cookie.mint_authority.pubkey(),
-            payer: payer,
-            update_authority: (payer, true),
-            system_program: system_program::ID,
-            rent: None,
-        };
+        let create_coll_metadata_ix_accounts =
+            mpl_token_metadata::instructions::CreateMetadataAccountV3 {
+                metadata: coll_metadata_key,
+                mint: coll_mint_cookie.address,
+                mint_authority: coll_mint_cookie.mint_authority.pubkey(),
+                payer: payer,
+                update_authority: (payer, true),
+                system_program: system_program::ID,
+                rent: None,
+            };
 
         // creates the instruction
         let create_coll_metadata_ix = create_coll_metadata_ix_accounts.instruction(args);
@@ -124,26 +125,28 @@ impl TokenMetadataTest {
         let (master_edition_key, _) =
             Pubkey::find_program_address(master_edition_seeds, &self.program_id);
 
-
         // instruction args
-        let args_master_edition_v3 = mpl_token_metadata::instructions::CreateMasterEditionV3InstructionArgs {
-            max_supply: Some(0),
-        };
+        let args_master_edition_v3 =
+            mpl_token_metadata::instructions::CreateMasterEditionV3InstructionArgs {
+                max_supply: Some(0),
+            };
 
         // instruction accounts
-        let create_master_edition_v3_ix_accounts = mpl_token_metadata::instructions::CreateMasterEditionV3 {
-            edition: master_edition_key,
-            metadata: coll_metadata_key,
-            mint: coll_mint_cookie.address,
-            mint_authority: coll_mint_cookie.mint_authority.pubkey(),
-            payer: payer,
-            update_authority: payer,
-            system_program: system_program::ID,
-            token_program: spl_token::id(),
-            rent: None,
-        };
+        let create_master_edition_v3_ix_accounts =
+            mpl_token_metadata::instructions::CreateMasterEditionV3 {
+                edition: master_edition_key,
+                metadata: coll_metadata_key,
+                mint: coll_mint_cookie.address,
+                mint_authority: coll_mint_cookie.mint_authority.pubkey(),
+                payer: payer,
+                update_authority: payer,
+                system_program: system_program::ID,
+                token_program: spl_token::id(),
+                rent: None,
+            };
 
-        let create_master_edition_ix = create_master_edition_v3_ix_accounts.instruction(args_master_edition_v3);
+        let create_master_edition_ix =
+            create_master_edition_v3_ix_accounts.instruction(args_master_edition_v3);
 
         self.bench
             .process_transaction(
@@ -210,15 +213,16 @@ impl TokenMetadataTest {
         };
 
         // instruction accounts
-        let create_metadata_ix_accounts = mpl_token_metadata::instructions::CreateMetadataAccountV3 {
-            metadata: metadata_key,
-            mint: mint_cookie.address,
-            mint_authority: mint_cookie.mint_authority.pubkey(),
-            payer: self.bench.payer.pubkey(),
-            update_authority: (self.bench.payer.pubkey(), true),
-            system_program: system_program::ID,
-            rent: None,
-        };
+        let create_metadata_ix_accounts =
+            mpl_token_metadata::instructions::CreateMetadataAccountV3 {
+                metadata: metadata_key,
+                mint: mint_cookie.address,
+                mint_authority: mint_cookie.mint_authority.pubkey(),
+                payer: self.bench.payer.pubkey(),
+                update_authority: (self.bench.payer.pubkey(), true),
+                system_program: system_program::ID,
+                rent: None,
+            };
 
         // creates the instruction
         let create_metadata_ix = create_metadata_ix_accounts.instruction(args);

diff --git a/programs/realm-voter/src/instructions/configure_governance_program.rs b/programs/realm-voter/src/instructions/configure_governance_program.rs
@@ -8,7 +8,7 @@ use anchor_lang::prelude::*;
 use spl_governance::state::realm;
 
 use crate::error::RealmVoterError;
-use crate::state::{GovernanceProgramConfig, Registrar, CollectionItemChangeType};
+use crate::state::{CollectionItemChangeType, GovernanceProgramConfig, Registrar};
 
 /// Creates or updates configuration for spl-governance program instances to define which spl-governance instances can be used to grant governance power
 #[derive(Accounts)]

diff --git a/programs/realm-voter/src/instructions/create_registrar.rs b/programs/realm-voter/src/instructions/create_registrar.rs
@@ -31,6 +31,7 @@ pub struct CreateRegistrar<'info> {
     /// - Realm is owned by the governance_program_id
     /// - governing_token_mint must be the community or council mint
     /// - realm_authority is realm.authority
+    ///
     /// CHECK: Owned by spl-governance instance specified in governance_program_id
     #[account(owner = governance_program_id.key())]
     pub realm: UncheckedAccount<'info>,

diff --git a/programs/realm-voter/src/state/registrar.rs b/programs/realm-voter/src/state/registrar.rs
@@ -11,7 +11,6 @@ pub enum CollectionItemChangeType {
     Remove,
 }
 
-
 /// Registrar which stores spl-governance configurations for the given Realm
 #[account]
 #[derive(Debug, PartialEq)]

diff --git a/programs/token-haver/src/instructions/create_registrar.rs b/programs/token-haver/src/instructions/create_registrar.rs
@@ -31,6 +31,7 @@ pub struct CreateRegistrar<'info> {
     /// - Realm is owned by the governance_program_id
     /// - governing_token_mint must be the community or council mint
     /// - realm_authority is realm.authority
+    ///
     /// CHECK: Owned by spl-governance instance specified in governance_program_id
     #[account(owner = governance_program_id.key())]
     pub realm: UncheckedAccount<'info>,

diff --git a/programs/token-haver/src/instructions/update_voter_weight_record.rs b/programs/token-haver/src/instructions/update_voter_weight_record.rs
@@ -44,7 +44,7 @@ pub fn update_voter_weight_record<'info>(
             voter_weight_record.governing_token_owner,
             TokenHaverError::TokenAccountWrongOwner
         );
-        
+
         // Throw an error if a token account's mint is not unique amount the accounts
         require!(
             nonzero_token_accounts

diff --git a/programs/token-haver/src/lib.rs b/programs/token-haver/src/lib.rs
@@ -28,7 +28,8 @@ pub mod token_haver {
         instructions::create_voter_weight_record(ctx, governing_token_owner)
     }
     pub fn update_voter_weight_record<'info>(
-        ctx: Context<'_, '_, 'info, 'info, UpdateVoterWeightRecord<'info>>,) -> Result<()> {
+        ctx: Context<'_, '_, 'info, 'info, UpdateVoterWeightRecord<'info>>,
+    ) -> Result<()> {
         log_version();
         instructions::update_voter_weight_record(ctx)
     }

diff --git a/programs/token-haver/src/state/registrar.rs b/programs/token-haver/src/state/registrar.rs
@@ -33,7 +33,7 @@ pub struct Registrar {
 
 impl Registrar {
     pub fn get_space(max_mints: u8) -> usize {
-        DISCRIMINATOR_SIZE + PUBKEY_BYTES * 3 + max_mints as usize * (PUBKEY_BYTES + 8)
+        DISCRIMINATOR_SIZE + PUBKEY_BYTES * 3 + 4 + max_mints as usize * PUBKEY_BYTES
     }
 }