Skip to content

Commit

Permalink
Merge pull request #41 from LedgerHQ/develop
Browse files Browse the repository at this point in the history
Merge develop into master (B2CA-1398)
  • Loading branch information
tdejoigny-ledger authored May 22, 2024
2 parents a99f347 + 115494a commit 90ca2f2
Show file tree
Hide file tree
Showing 564 changed files with 18,167 additions and 897 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/check_version.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,9 @@ name: Verify PRs to main
on:
workflow_dispatch:
pull_request:
paths:
- app/**
- deps/**
branches:
- main
- develop
Expand Down
2 changes: 0 additions & 2 deletions .github/workflows/guidelines_enforcer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,5 +21,3 @@ jobs:
guidelines_enforcer:
name: Call Ledger guidelines_enforcer
uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_guidelines_enforcer.yml@v1
with:
relative_app_directory: 'app'
57 changes: 57 additions & 0 deletions .github/workflows/sonarcloud.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
name: Sonarcloud

on:
push:
branches:
- disable
pull_request:
branches:
- disable
types: [opened, synchronize, reopened]

jobs:
build:
name: SonarQube analyze
runs-on: ubuntu-latest
container:
image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder@sha256:877adc3ff619222aaf03a490d546ea9001f02faa0c6ac7c06c876c99584f9cdb
env:
SONAR_SCANNER_VERSION: 4.7.0.2747
SONAR_SERVER_URL: "https://sonarcloud.io"
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v2
with:
submodules: true
- name: Set up JDK 11
uses: actions/setup-java@v1
with:
java-version: 11
- name: Download and set up sonar-scanner
env:
SONAR_SCANNER_DOWNLOAD_URL: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip
run: |
apt-get update -y
apt-get upgrade -y
curl -sL https://deb.nodesource.com/setup_16.x | bash -
apt-get install -y gcovr nodejs unzip
mkdir -p $HOME/.sonar
curl -sSLo $HOME/.sonar/sonar-scanner.zip ${{ env.SONAR_SCANNER_DOWNLOAD_URL }}
unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
echo "$HOME/.sonar/sonar-scanner-${{ env.SONAR_SCANNER_VERSION }}-linux/bin" >> $GITHUB_PATH
- name: Download and set up build-wrapper
env:
BUILD_WRAPPER_DOWNLOAD_URL: ${{ env.SONAR_SERVER_URL }}/static/cpp/build-wrapper-linux-x86.zip
run: |
curl -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip ${{ env.BUILD_WRAPPER_DOWNLOAD_URL }}
unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
echo "$HOME/.sonar/build-wrapper-linux-x86" >> $GITHUB_PATH
- name: Run build-wrapper
run: |
build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all
- name: Run sonar-scanner
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: |
sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ cmake-build-fuzz/
!\deps/nanox-secure-sdk
!\deps/ledger-zxlib
!\deps/tinycbor
!\deps/tinycbor-ledger
!\deps/BLAKE

app/src/glyphs.c
Expand Down
2 changes: 1 addition & 1 deletion .gitmodules
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[submodule "deps/nanos-secure-sdk"]
path = deps/nanos-secure-sdk
url = https://github.com/LedgerHQ/nanos-secure-sdk.git
url = https://github.com/LedgerHQ/ledger-secure-sdk.git
[submodule "deps/nanox-secure-sdk"]
path = deps/nanox-secure-sdk
url = https://github.com/LedgerHQ/ledger-secure-sdk.git
Expand Down
17 changes: 17 additions & 0 deletions .sonarcloud.properties
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
# Path to sources
# sonar.sources=
# sonar.exclusions=
# sonar.inclusions=

# Path to tests
# sonar.tests=
# sonar.test.exclusions=
# sonar.test.inclusions=

# Source encoding
# sonar.sourceEncoding=

# Exclusions for copy-paste detection
# sonar.cpd.exclusions=
# Python version (for python projects only)
# sonar.python.version=
45 changes: 32 additions & 13 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -14,12 +14,22 @@
#* limitations under the License.
#********************************************************************************
cmake_minimum_required(VERSION 3.0)
include("cmake/HunterGate.cmake")
HunterGate(
URL "https://github.com/cpp-pm/hunter/archive/v0.25.5.tar.gz"
SHA1 "a20151e4c0740ee7d0f9994476856d813cdead29"
LOCAL
)

project(ledger-cosmos VERSION 0.0.0)
enable_testing()

cmake_policy(SET CMP0025 NEW)
set(CMAKE_CXX_STANDARD 11)

set(HUNTER_STATUS_DEBUG ON)
set(HUNTER_TLS_VERIFY OFF)

option(ENABLE_FUZZING "Build with fuzzing instrumentation and build fuzz targets" OFF)
option(ENABLE_COVERAGE "Build with source code coverage instrumentation" OFF)
option(ENABLE_SANITIZERS "Build with ASAN and UBSAN" OFF)
Expand All @@ -30,6 +40,13 @@ string(APPEND CMAKE_LINKER_FLAGS " -fno-omit-frame-pointer -g")

add_definitions(-DAPP_STANDARD)

hunter_add_package(fmt)
find_package(fmt CONFIG REQUIRED)
hunter_add_package(jsoncpp)
find_package(jsoncpp CONFIG REQUIRED)
hunter_add_package(GTest)
find_package(GTest CONFIG REQUIRED)

if(ENABLE_FUZZING)
add_definitions(-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION=1)
SET(ENABLE_SANITIZERS ON CACHE BOOL "Sanitizer automatically enabled" FORCE)
Expand Down Expand Up @@ -71,17 +88,18 @@ if(ENABLE_SANITIZERS)
string(APPEND CMAKE_LINKER_FLAGS " -fsanitize=address,undefined -fsanitize-recover=address,undefined")
endif()

include(cmake/conan/CMakeLists.txt)
add_subdirectory(cmake/gtest)

string(APPEND CMAKE_CXX_FLAGS " -fsanitize=address -fno-omit-frame-pointer")
string(APPEND CMAKE_LINKER_FLAGS " -fsanitize=address -fno-omit-frame-pointer")

##############################################################
##############################################################
# static libs
file(GLOB_RECURSE JSMN_SRC
deps/jsmn/src/jsmn.c
${CMAKE_CURRENT_SOURCE_DIR}/deps/jsmn/src/jsmn.c
)
file(GLOB_RECURSE TINYCBOR_SRC
${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src/cborparser.c
${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src/cborvalidation.c
)

file(GLOB_RECURSE LIB_SRC
Expand All @@ -98,6 +116,7 @@ file(GLOB_RECURSE LIB_SRC
${CMAKE_CURRENT_SOURCE_DIR}/app/src/formatting.c
${CMAKE_CURRENT_SOURCE_DIR}/app/src/parser_impl.c
${CMAKE_CURRENT_SOURCE_DIR}/app/src/json/json_parser.c
${CMAKE_CURRENT_SOURCE_DIR}/app/src/cbor/cbor_parser_helper.c
${CMAKE_CURRENT_SOURCE_DIR}/app/src/tx_parser.c
${CMAKE_CURRENT_SOURCE_DIR}/app/src/tx_display.c
${CMAKE_CURRENT_SOURCE_DIR}/app/src/tx_validate.c
Expand All @@ -107,6 +126,7 @@ file(GLOB_RECURSE LIB_SRC
add_library(app_lib STATIC
${LIB_SRC}
${JSMN_SRC}
${TINYCBOR_SRC}
)

target_include_directories(app_lib PUBLIC
Expand All @@ -115,7 +135,8 @@ target_include_directories(app_lib PUBLIC
${CMAKE_CURRENT_SOURCE_DIR}/app/src
${CMAKE_CURRENT_SOURCE_DIR}/app/src/common
${CMAKE_CURRENT_SOURCE_DIR}/deps/ledger-zxlib/app/common
${CMAKE_CURRENT_SOURCE_DIR}/deps/tinykeccak
${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src
${CMAKE_CURRENT_SOURCE_DIR}/deps/tinykeccak/
)

target_link_libraries(app_lib PUBLIC)
Expand All @@ -128,22 +149,20 @@ file(GLOB_RECURSE TESTS_SRC

add_executable(unittests ${TESTS_SRC})
target_include_directories(unittests PRIVATE
${gtest_SOURCE_DIR}/include
${gmock_SOURCE_DIR}/include
${CONAN_INCLUDE_DIRS_FMT}
${CONAN_INCLUDE_DIRS_JSONCPP}
${CMAKE_CURRENT_SOURCE_DIR}/deps/jsmn/src
${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src
)

target_link_libraries(unittests PRIVATE
gtest_main
GTest::gtest_main
app_lib
CONAN_PKG::fmt
CONAN_PKG::jsoncpp)
fmt::fmt
JsonCpp::JsonCpp)

add_compile_definitions(TESTVECTORS_DIR="${CMAKE_CURRENT_SOURCE_DIR}/tests/")
add_compile_definitions(APP_TESTING=1)
add_test(unittests ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/unittests)
add_compile_definitions(COMPILE_TEXTUAL=1)
add_test(NAME unittests COMMAND unittests)
set_tests_properties(unittests PROPERTIES WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests)

##############################################################
Expand Down
12 changes: 9 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,18 @@

---

![zondax](docs/zondax.jpg)
![zondax_light](docs/zondax_light.png#gh-light-mode-only)
![zondax_dark](docs/zondax_dark.png#gh-dark-mode-only)

_Please visit our website at [zondax.ch](zondax.ch)_

You can also visit [Zondax Hub](https://hub.zondax.ch/cosmos) to test any of the versions of the app

---

This project contains the Cosmos app for Ledger Nano S and X.
This project contains the Cosmos app for Ledger Nano S, Nano S+, X and Stax.

- Ledger Nano S/X Cosmos app
- Ledger Nano S/S+/X/Stax Cosmos app
- Specs / Documentation
- C++ unit tests
- Zemu tests
Expand Down Expand Up @@ -202,5 +205,8 @@ The Makefile will build the firmware in a docker container and leave the binary

## APDU Specifications

### DISCLAIMER
Ledger NanoS does not support Cosmos Textual Mode due to memory restriction

- [APDU Protocol](docs/APDUSPEC.md)
- [Transaction format](docs/TXSPEC.md)
79 changes: 79 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Coordinated Vulnerability Disclosure Policy

The Cosmos ecosystem believes that strong security is a blend of highly
technical security researchers who care about security and the forward
progression of the ecosystem and the attentiveness and openness of Cosmos core
contributors to help continually secure our operations.

> **IMPORTANT**: *DO NOT* open public issues on this repository for security
> vulnerabilities.
## Scope

| Scope |
|-----------------------|
| last release (tagged) |
| main branch |

The latest **release tag** of this repository is supported for security updates
as well as the **main** branch. Security vulnerabilities should be reported if
the vulnerability can be reproduced on either one of those.

## Reporting a Vulnerability

| Reporting methods |
|---------------------------------------------------------------|
| [GitHub Private Vulnerability Reporting][gh-private-advisory] |
| [HackerOne bug bounty program][h1] |

All security vulnerabilities can be reported under GitHub's [Private
vulnerability reporting][gh-private-advisory] system. This will open a private
issue for the developers. Try to fill in as much of the questions as possible.
If you are not familiar with the CVSS system for assessing vulnerabilities, just
use the Low/High/Critical severity ratings. A partially filled in report for a
critical vulnerability is still better than no report at all.

Vulnerabilities associated with the **Go, Rust or Protobuf code** of the
repository may be eligible for a [bug bounty][h1]. Please see the bug bounty
page for more details on submissions and rewards. If you think the vulnerability
is eligible for a payout, **report on HackerOne first**.

Vulnerabilities in services and their source codes (JavaScript, web page, Google
Workspace) are not in scope for the bug bounty program, but they are welcome to
be reported in GitHub.

### Guidelines

We require that all researchers:

* Abide by this policy to disclose vulnerabilities, and avoid posting
vulnerability information in public places, including GitHub, Discord,
Telegram, and Twitter.
* Make every effort to avoid privacy violations, degradation of user experience,
disruption to production systems (including but not limited to the Cosmos
Hub), and destruction of data.
* Keep any information about vulnerabilities that you’ve discovered confidential
between yourself and the Cosmos engineering team until the issue has been
resolved and disclosed.
* Avoid posting personally identifiable information, privately or publicly.

If you follow these guidelines when reporting an issue to us, we commit to:

* Not pursue or support any legal action related to your research on this
vulnerability
* Work with you to understand, resolve and ultimately disclose the issue in a
timely fashion

### More information

* See [TIMELINE.md] for an example timeline of a disclosure.
* See [DISCLOSURE.md] to see more into the inner workings of the disclosure
process.
* See [EXAMPLES.md] for some of the examples that we are interested in for the
bug bounty program.

[gh-private-advisory]: /../../security/advisories/new
[h1]: https://hackerone.com/cosmos
[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md
[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md
[EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md
22 changes: 15 additions & 7 deletions app/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -54,21 +54,29 @@ APP_LOAD_PARAMS = --curve secp256k1 $(COMMON_LOAD_PARAMS) --path $(APPPATH)

include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.devices

# On zxlib v19.7.1, Makefile.devices will set a default value for APP_STACK_SIZE
# to follow the most recent nanos-secure-sdk rules we will clean APP_STACK_SIZE value
# and set a minimum value
APP_STACK_SIZE :=
APP_STACK_MIN_SIZE := 1444

$(info TARGET_NAME = [$(TARGET_NAME)])
$(info ICONNAME = [$(ICONNAME)])

ifndef ICONNAME
$(error ICONNAME is not set)
endif

include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.platform
# Compile textual mode for all devices excetpt Nano S,
# and define a Min stack size for Nano S with some margin
# to get an error if app grows too much
ifneq ($(TARGET_NAME),TARGET_NANOS)
DEFINES += COMPILE_TEXTUAL
endif

ifeq ($(TARGET_NAME),TARGET_NANOS)
APP_STACK_MIN_SIZE := 1600
else
APP_STACK_MIN_SIZE := 3800
endif

include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.platform
CFLAGS += -I$(MY_DIR)/../deps/tinycbor/src
APP_SOURCE_PATH += $(MY_DIR)/../deps/tinycbor-ledger
APP_SOURCE_PATH += $(MY_DIR)/../deps/jsmn/src

.PHONY: rust
Expand Down
4 changes: 2 additions & 2 deletions app/Makefile.version
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# This is the `transaction_version` field of `Runtime`
APPVERSION_M=2
# This is the `spec_version` field of `Runtime`
APPVERSION_N=34
APPVERSION_N=35
# This is the patch version of this release
APPVERSION_P=14
APPVERSION_P=22
Binary file modified app/glyphs/icon_stax_32.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file modified app/glyphs/icon_stax_64.gif
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading

0 comments on commit 90ca2f2

Please sign in to comment.