diff --git a/.github/workflows/gosec.yml b/.github/workflows/gosec.yml new file mode 100644 index 000000000..dfd2cb529 --- /dev/null +++ b/.github/workflows/gosec.yml @@ -0,0 +1,51 @@ +name: gosec + +on: + push: + branches: + - main + - develop + pull_request: + branches: + - master + - develop +jobs: + gosec: + name: gosec + strategy: + matrix: + go-version: [1.18.x] + os: [ubuntu-latest] + runs-on: ${{ matrix.os }} + env: + GOPRIVATE: github.com/bnb-chain + GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_SECRET }} + steps: + - uses: actions/setup-go@v3 + with: + go-version: ${{ matrix.go-version }} + - uses: actions/checkout@v3 + - name: Setup GitHub Token + run: git config --global url.https://$GH_ACCESS_TOKEN@github.com/.insteadOf https://github.com/ + - uses: actions/cache@v3 + with: + # In order: + # * Module download cache + # * Build cache (Linux) + # * Build cache (Mac) + # * Build cache (Windows) + path: | + ~/go/pkg/mod + ~/.cache/go-build + ~/Library/Caches/go-build + %LocalAppData%\go-build + key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} + restore-keys: | + ${{ runner.os }}-go- + - run: | + go mod tidy + go mod download + - name: Run Gosec Security Scanner + uses: securego/gosec@master + with: + args: -quiet -confidence high -severity high ./... \ No newline at end of file diff --git a/README.md b/README.md index 56eae4ba9..aacf6a073 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,7 @@ -# Tendermint - -![banner](docs/tendermint-core-image.jpg) - -[Byzantine-Fault Tolerant][bft] [State Machine Replication][smr]. Or -[Blockchain], for short. - -[![Version][version-badge]][version-url] -[![API Reference][api-badge]][api-url] -[![Go version][go-badge]][go-url] -[![Discord chat][discord-badge]][discord-url] -[![License][license-badge]][license-url] -[![Sourcegraph][sg-badge]][sg-url] - -| Branch | Tests | Linting | -|--------|------------------------------------|---------------------------------| -| main | [![Tests][tests-badge]][tests-url] | [![Lint][lint-badge]][lint-url] | +# Greenfield Tendermint +Greenfield Tendermint, forked from [tendermint](https://github.com/tendermint/tendermint), +is the consensus layer of Greenfield blockchain. Tendermint Core is a Byzantine Fault Tolerant (BFT) middleware that takes a state transition machine - written in any programming language - and securely replicates it on many machines. @@ -26,36 +12,20 @@ For detailed analysis of the consensus protocol, including safety and liveness proofs, read our paper, "[The latest gossip on BFT consensus](https://arxiv.org/abs/1807.04938)". -## Documentation - -Complete documentation can be found on the -[website](https://docs.tendermint.com/). - -## Releases - -Please do not depend on `main` as your production branch. Use -[releases](https://github.com/tendermint/tendermint/releases) instead. - -Tendermint has been in the production of private and public environments, most -notably the blockchains of the Cosmos Network. we haven't released v1.0 yet -since we are making breaking changes to the protocol and the APIs. See below for -more details about [versioning](#versioning). - -In any case, if you intend to run Tendermint in production, we're happy to help. -You can contact us [over email](mailto:hello@interchain.io) or [join the -chat](https://discord.gg/cosmosnetwork). - -More on how releases are conducted can be found [here](./RELEASES.md). +## Disclaimer +**The software and related documentation are under active development, all subject to potential future change without +notification and not ready for production use. The code and security audit have not been fully completed and not ready +for any bug bounty. We advise you to be careful and experiment on the network at your own risk. Stay safe out there.** -## Security +## Key features -To report a security vulnerability, see our [bug bounty -program](https://hackerone.com/cosmos). For examples of the kinds of bugs we're -looking for, see [our security policy](SECURITY.md). +We implement several key features based on the Tendermint fork: -We also maintain a dedicated mailing list for security updates. We will only -ever use this mailing list to notify you of vulnerabilities and fixes in -Tendermint Core. You can subscribe [here](http://eepurl.com/gZ5hQD). +* Vote Pool. Vote pool is used to collect votes from different validators for off-chain consensus. +Currently, it is mainly used for cross chain and data availability challenge in Greenfield blockchain. +* RANDAO. RANDAO is introduced for on-chain randomness. Overall, the idea is very similar to the RANDAO +in Ethereum beacon chain, you can refer to [here](https://eth2book.info/altair/part2/building_blocks/randomness) +for more information. It has some limitations, please use it with caution. ## Minimum requirements @@ -84,39 +54,6 @@ yourself with our [Architectural Decision Records (ADRs)](./docs/architecture/README.md) and [Request For Comments (RFCs)](./docs/rfc/README.md). -## Versioning - -### Semantic Versioning - -Tendermint uses [Semantic Versioning](http://semver.org/) to determine when and -how the version changes. According to SemVer, anything in the public API can -change at any time before version 1.0.0 - -To provide some stability to users of 0.X.X versions of Tendermint, the MINOR -version is used to signal breaking changes across Tendermint's API. This API -includes all publicly exposed types, functions, and methods in non-internal Go -packages as well as the types and methods accessible via the Tendermint RPC -interface. - -Breaking changes to these public APIs will be documented in the CHANGELOG. - -### Upgrades - -In an effort to avoid accumulating technical debt prior to 1.0.0, we do not -guarantee that breaking changes (ie. bumps in the MINOR version) will work with -existing Tendermint blockchains. In these cases you will have to start a new -blockchain, or write something custom to get the old data into the new chain. -However, any bump in the PATCH version should be compatible with existing -blockchain histories. - -For more information on upgrading, see [UPGRADING.md](./UPGRADING.md). - -### Supported Versions - -Because we are a small core team, we only ship patch updates, including security -updates, to the most recent minor release and the second-most recent minor -release. Consequently, we strongly recommend keeping Tendermint up-to-date. -Upgrading instructions can be found in [UPGRADING.md](./UPGRADING.md). ## Resources @@ -143,16 +80,9 @@ Upgrading instructions can be found in [UPGRADING.md](./UPGRADING.md). - [Tendermint Core Blog](https://medium.com/tendermint/tagged/tendermint-core) - [Cosmos Blog](https://blog.cosmos.network/tendermint/home) -## Join us! - -Tendermint Core is maintained by [Interchain GmbH](https://interchain.berlin). -If you'd like to work full-time on Tendermint Core, -[we're hiring](https://interchain-gmbh.breezy.hr/)! +## License -Funding for Tendermint Core development comes primarily from the -[Interchain Foundation](https://interchain.io), a Swiss non-profit. The -Tendermint trademark is owned by [Tendermint Inc.](https://tendermint.com), the -for-profit entity that also maintains [tendermint.com](https://tendermint.com). +To be added. [bft]: https://en.wikipedia.org/wiki/Byzantine_fault_tolerance [smr]: https://en.wikipedia.org/wiki/State_machine_replication diff --git a/node/node.go b/node/node.go index c8d65b8bc..6fba4224d 100644 --- a/node/node.go +++ b/node/node.go @@ -7,7 +7,7 @@ import ( "fmt" "net" "net/http" - _ "net/http/pprof" //nolint: gosec // securely exposed on separate, optional port + _ "net/http/pprof" //#nosec //nolint: gosec // securely exposed on separate, optional port "strings" "time" diff --git a/test/maverick/node/node.go b/test/maverick/node/node.go index 9fb8b5fe8..c7aa6745b 100644 --- a/test/maverick/node/node.go +++ b/test/maverick/node/node.go @@ -7,7 +7,7 @@ import ( "fmt" "net" "net/http" - _ "net/http/pprof" //nolint: gosec // securely exposed on separate, optional port + _ "net/http/pprof" //#nosec //nolint: gosec // securely exposed on separate, optional port "strconv" "strings" "time"