-
Notifications
You must be signed in to change notification settings - Fork 1.1k
add socket tier 1 reachability analysis #5333
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,102 @@ | ||
| # Socket reachability scan for stellar-core. | ||
| # For general Socket reachability documentation, see https://docs.socket.dev/docs/full-application-reachability | ||
| # Multi-ecosystem: Rust (Cargo) + Python (scripts/pyproject.toml). | ||
| # | ||
| # --reach-ecosystems=cargo,pypi explicitly lists the ecosystems that get full Tier 1 reachability analysis. This repo's Coana-supported ecosystems are cargo (Cargo.toml) and pypi (scripts/pyproject.toml). The explicit list also excludes Coana's phantom NUGET detection: the repo has Builds/VisualStudio/stellar-core.sln (no actual C# code), which Coana otherwise mis-detects as a .NET project and aborts the scan demanding `dotnet`. Listing only cargo,pypi sidesteps that. | ||
| # | ||
| # >>> DEVELOPERS: if this repo adds a NEW Coana-supported ecosystem (e.g. an >>> npm package.json, a go.mod, a Gemfile), you MUST add that ecosystem to >>> this --reach-ecosystems list to get full Tier 1 reachability for it. >>> Supported ecosystem names: npm, pypi, cargo, golang, maven, gem, nuget. >>> Ecosystems NOT listed here still receive Tier 2 (precomputed) >>> reachability from Socket's backend automatically — but Tier 1 (the more >>> precise, your-code-aware analysis) only runs for the ecosystems listed. | ||
| # | ||
| # Schedule: Sun 12:24 UTC weekly. Use workflow_dispatch to run on demand. | ||
| # | ||
| # ============================================================================ | ||
| # Socket scan — reading the job status. (The scan step below produces this: an | ||
| # exit code + an optional ::warning:: annotation, which GitHub Actions renders | ||
| # as the job's state.) | ||
| # ============================================================================ | ||
| # GREEN (exit 0, no warning): scan completed and every analyzed vulnerability | ||
| # got full Tier 1 reachability (precise, your-code-aware). Nothing to do. | ||
| # YELLOW (exit 0 + "::warning:: Socket scan completed with Tier 2 fallbacks"): | ||
| # scan completed, but Tier 1 could NOT be computed for some/all | ||
| # vulnerabilities, which fell back to Tier 2 (precomputed) reachability. | ||
| # You still get CVE detection + Tier 2 results, just reduced precision | ||
| # for the affected CVEs. The job is NOT failing. | ||
| # RED (non-zero exit): scan did not complete. Do not assume any part | ||
| # succeeded — could be reachability hard-failing, a missing language | ||
| # toolchain, the runner out of memory, a network/API error, or even the | ||
| # underlying CVE/SBOM detection failing. Check the logs and fix before | ||
| # relying on results. | ||
| # ---------------------------------------------------------------------------- | ||
| # THIS REPO STARTS YELLOW — a KNOWN upstream Coana bug, NOT your code or this | ||
| # scan setup: | ||
| # Coana's Rust analyzer hits "Maximum call stack size exceeded" on the cargo | ||
| # root + src/rust (4 CVEs) -> Tier 2 fallback. | ||
| # Reported to Socket; may be fixed upstream over time. Do NOT let this baseline | ||
| # yellow train the team to ignore yellow — a *new* yellow (a different Tier 2 | ||
| # fallback that appears later) is a real signal worth investigating. After the | ||
| # initial rollout, the team may resolve the baseline yellow at its discretion | ||
| # (once Coana ships a fix, or by adjusting the scan) so GREEN becomes the | ||
| # normal state and any future yellow stands out. | ||
| # ============================================================================ | ||
|
|
||
| name: Socket reachability scan | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '24 12 * * 0' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| env: | ||
| # Force JS-based GitHub actions (actions/checkout, actions/setup-*, etc.) to | ||
| # use Node 24 instead of the soon-to-be-deprecated Node 20. Safe to remove | ||
| # after 2026-06-16 (when Node 24 becomes the default and this becomes a no-op). | ||
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true | ||
|
|
||
| jobs: | ||
| socket-scan: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
In scheduled runs, Useful? React with 👍 / 👎.
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since we would have socket scan enabled in rs-soroban-env repo, its probably fine if this scan skips Soroban host scan. Also, with multi host architecture, its not worth scanning older protocol version hosts. |
||
| - uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1 | ||
| with: | ||
| toolchain: "1.86.0" | ||
| - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 | ||
| with: | ||
| python-version: "3.14.6" | ||
| - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "24.18.0" | ||
| - name: Enable Corepack (yarn/pnpm per repo packageManager) | ||
| run: corepack enable | ||
|
|
||
|
Comment on lines
+72
to
+74
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Seems relevant. core doesn't have package.json. |
||
| - name: Install Socket CLI | ||
| run: npm install -g socket | ||
|
Comment on lines
+75
to
+76
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is a possibility so pinning makes sense. |
||
|
|
||
| - name: Run Socket reachability scan | ||
| env: | ||
| SOCKET_SECURITY_API_TOKEN: ${{ secrets.SOCKET_SECURITY_API_TOKEN }} | ||
| run: | | ||
| # Stream the scan output through tee so the run log captures it AND | ||
| # we can grep it for Tier-2-fallback markers; capture the scan's | ||
| # exit code via ${PIPESTATUS[0]} (tee always exits 0). If the scan | ||
| # succeeded but logged a Tier 2 fallback, emit a ::warning:: | ||
| # annotation that GitHub Actions renders as a yellow run-level | ||
| # warning without failing the job. | ||
| set +e | ||
| socket scan create --reach \ | ||
| --org=stellar \ | ||
| --no-interactive \ | ||
| --reach-continue-on-no-source-files \ | ||
| --reach-continue-on-analysis-errors \ | ||
| --reach-continue-on-install-errors \ | ||
| --reach-continue-on-missing-lock-files \ | ||
| --reach-ecosystems=cargo,pypi \ | ||
| . 2>&1 | tee /tmp/scan.log | ||
| rc=${PIPESTATUS[0]} | ||
| if [ $rc -eq 0 ] && grep -qE "Reachability falls back to Tier 2|fallback to the results from the pre-computed|Reachability falls back to precomputed" /tmp/scan.log; then | ||
|
Comment on lines
+88
to
+99
|
||
| echo "::warning::Socket scan completed with Tier 2 fallbacks - some vulnerabilities used precomputed reachability instead of full Tier 1" | ||
| fi | ||
| exit $rc | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems about right since we are past the June 16th date.