Merge remote-tracking branch 'origin/release/os/5.3' into merge-relea…

…se/os/5.2-release/os/5.3-2024-12-03-316 # Conflicts: # .snyk # gradle.properties # gradle/libs.versions.toml
corda · Dec 3, 2024 · 3f9b91b · 3f9b91b
2 parents ec40e2b + f2d9a46
commit 3f9b91b
Show file tree

Hide file tree

Showing 89 changed files with 1,033 additions and 290 deletions.
diff --git a/.ci/JenkinsApiCompatibility b/.ci/JenkinsApiCompatibility
@@ -1,5 +1,5 @@
 // Check corda-api compatibility with downstream consumers which implement CordApps
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaApiCompatibilityCheck(
     javaVersion: '17'

diff --git a/.ci/JenkinsfileSnykDelta b/.ci/JenkinsfileSnykDelta
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 snykDelta(
   snykOrgId: 'corda5-snyk-org-id',

diff --git a/.ci/JenkinsfileSonarCloud b/.ci/JenkinsfileSonarCloud
@@ -0,0 +1,74 @@
+@Library('[email protected]') _
+
+import com.r3.build.agents.KubernetesAgent
+import com.r3.build.enums.BuildEnvironment
+import com.r3.build.enums.KubernetesCluster
+import com.r3.build.BuildConstants
+import com.r3.build.utils.GitUtils
+import com.r3.build.utils.SnykUtils
+
+KubernetesAgent k8s = new KubernetesAgent(
+        BuildEnvironment.AMD64_LINUX_JAVA17,
+        KubernetesCluster.JenkinsAgents,
+        1
+)
+
+GitUtils gitUtils = new GitUtils(this)
+SnykUtils snykUtils = new SnykUtils(this)
+
+pipeline {
+    agent {
+        kubernetes {
+            cloud k8s.buildCluster.cloudName
+            yaml k8s.JSON
+            yamlMergeStrategy merge() // important to keep tolerations from the inherited template
+            idleMinutes 15
+            podRetention always()
+            nodeSelector k8s.nodeSelector
+            label k8s.jenkinsLabel
+            showRawYaml true
+            defaultContainer k8s.defaultContainer.name
+        }
+    }
+
+    environment {
+        ARTIFACTORY_CREDENTIALS = credentials('artifactory-credentials')
+        CORDA_ARTIFACTORY_PASSWORD = "${env.ARTIFACTORY_CREDENTIALS_PSW}"
+        CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
+        BUILD_CACHE_CREDENTIALS = credentials('gradle-ent-cache-credentials')
+        BUILD_CACHE_PASSWORD = "${env.BUILD_CACHE_CREDENTIALS_PSW}"
+        BUILD_CACHE_USERNAME = "${env.BUILD_CACHE_CREDENTIALS_USR}"
+        CORDA_GRADLE_SCAN_KEY = credentials('gradle-build-scans-key')
+        GRADLE_USER_HOME = "/host_tmp/gradle"
+        SNYK_TOKEN = credentials("r3-snyk-corda5")
+        SNYK_ORG_ID = credentials("corda5-snyk-org-id")
+    }
+
+    options {
+        timestamps()
+    }
+
+    triggers {
+        cron (gitUtils.isReleaseBranch() ? '@midnight' : '')
+    }
+
+    stages {
+        stage('SonarQube analysis') {
+            when {
+                expression { return env.BRANCH_NAME == gitUtils.getDefaultBranch(gitUtils.getRepoName())}
+            }
+            steps {
+                withSonarQubeEnv('SonarCloud') {
+                    sh './gradlew sonar -Si'
+                }
+            }
+        }
+        stage('Snyk Code analysis') {
+            steps {
+                script {
+                    snykUtils.runSnykCode()
+                }
+            }
+        }
+    }
+}
diff --git a/.ci/JenkinsfileStaticAnalysis b/.ci/JenkinsfileStaticAnalysis
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 staticCodeAnalysisPipeline(
     snykCodeEnabled : true

diff --git a/.ci/dev/forward-merge/JenkinsForwardMergeReleaseBranch b/.ci/dev/forward-merge/JenkinsForwardMergeReleaseBranch
diff --git a/.ci/dev/forward-merge/JenkinsInteropMerge b/.ci/dev/forward-merge/JenkinsInteropMerge
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 /*
  * Forward merge any changes in current branch to the branch with following version.

diff --git a/.ci/dev/forward-merge/JenkinsfileMergeAutomation b/.ci/dev/forward-merge/JenkinsfileMergeAutomation
@@ -1,5 +1,5 @@
 #! groovy
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 /**
  * Forward merge any changes in current branch to the branch with following version.
@@ -14,13 +14,13 @@
  * the branch name of origin branch, it should match the current branch
  * and it acts as a fail-safe inside {@code forwardMerger} pipeline
  */
-String originBranch = 'release/os/5.2'
+String originBranch = 'release/os/5.3'
 
 /**
  * the branch name of target branch, it should be the branch with the next version
  * after the one in current branch.
  */
-String targetBranch = 'release/os/5.3'
+String targetBranch = 'release/os/5.4'
 
 /**
  * Forward merge any changes between {@code originBranch} and {@code targetBranch}

diff --git a/.ci/nightly/JenkinsfileNightly b/.ci/nightly/JenkinsfileNightly
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaPipelineKubernetesAgent(
     runIntegrationTests: false,

diff --git a/.ci/nightly/JenkinsfileSnykScan b/.ci/nightly/JenkinsfileSnykScan
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaSnykScanPipeline (
     snykTokenId: 'r3-snyk-corda5',

diff --git a/.ci/nightly/JenkinsfileWindowsCompatibility b/.ci/nightly/JenkinsfileWindowsCompatibility
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 windowsCompatibility(
     runIntegrationTests: false,

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -1,2 +1,18 @@
-# Code freeze reviewers
-* @driessamyn @jasonbyrner3 @ronanbrowne @rick-r3 @simon-johnson-r3 @blsemo @Omar-awad @aditisdesai @vinir3 @vkolomeyko @Sakpal @owenstanford @davidcurrie @conalsmith-r3
+# Build scripts and Jenkins files should be audited by BLT
+# Any changes to source code of corda-api to be reviewd by C5 team leads
+
+Jenkinsfile        @corda/infrastructure-release
+.ci/**             @corda/infrastructure-release
+
+gradle/wrapper     @corda/infrastructure-release
+*.toml             @corda/corda5-team-leads
+
+*.gradle           @corda/infrastructure-release
+gradle.properties  @corda/corda5-team-leads
+
+*.kt               @corda/corda5-team-leads
+*.java             @corda/corda5-team-leads
+
+**/scans/*.yaml    @corda/corda5-team-leads
+
+CODEOWNERS         @corda/infrastructure-release @corda/corda5-team-leads
diff --git a/.github/workflows/check-pr-title.yml b/.github/workflows/check-pr-title.yml
@@ -7,8 +7,8 @@ jobs:
   check-pr-title:
     runs-on: ubuntu-latest
     steps:
-      - uses: morrisoncole/pr-lint-action@v1.6.1
+      - uses: morrisoncole/pr-lint-action@v1.7.1
         with:
-          title-regex: '^((CORDA|EG|ENT|INFRA|CORE|DOC|ES|DA5)-\d+)(.*)'
+          title-regex: '^((CORDA|R3SOL|EG|ENT|INFRA|CORE|DOC|ES|DA5)-\d+)(.*)'
           on-failed-regex-comment: "PR title failed to match regex -> `%regex%`"
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/remove-stale-branches.yml b/.github/workflows/remove-stale-branches.yml
@@ -8,7 +8,7 @@ jobs:
     name: Remove stale branches
     runs-on: ubuntu-latest
     steps:
-      - uses: fpicalausa/remove-stale-branches@v1.5.8
+      - uses: fpicalausa/remove-stale-branches@v2.0.1
         with:
           dry-run: false
           ignore-unknown-authors: true

diff --git a/.github/workflows/remove-stale-prs.yml b/.github/workflows/remove-stale-prs.yml
@@ -8,7 +8,7 @@ jobs:
     name: Remove stale PRs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v8.0.0
+      - uses: actions/stale@v9.0.0
         with:
           debug-only: false
           exempt-pr-labels: 'DO_NOT_CLOSE'

diff --git a/.snyk b/.snyk
@@ -2,15 +2,6 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385:
-    - '*':
-        reason: >-
-          Gradle plugins use the version of Kotlin provided by Gradle itself, so
-          it is not susceptible to this vulnerability. In addition, this is a 
-          build-time vulnerability,  released artifacts are not affected due to
-          this.
-        expires: 2022-10-22T10:40:55.991Z
-        created: 2022-09-22T10:40:55.995Z
   SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
     - '*':
         reason: >-
@@ -20,24 +11,24 @@ ignore:
           this vulnerability.
         expires: 2025-11-18T13:28:02.597Z
         created: 2022-09-22T10:40:55.995Z
-  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
+  SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135:
     - '*':
         reason: >-
           Corda5 Shippable artifacts do not make use of dokka-core, which is
           where this dependency originates, this is used at compile / build time
           only for Kdoc generation and not shipped in any of our releasable
           artifacts.
-        expires: 2023-06-19T10:40:55.991Z
-        created: 2022-12-20T10:40:55.995Z
-  SNYK-JAVA-ORGJSOUP-2989728:
+        expires: 2025-11-19T10:40:55.991Z
+        created: 2023-03-20T13:28:02.597Z
+  SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538:
     - '*':
         reason: >-
           Corda5 Shippable artifacts do not make use of dokka-core, which is
           where this dependency originates, this is used at compile / build time
           only for Kdoc generation and not shipped in any of our releasable
           artifacts.
-        expires: 2023-06-19T10:40:55.991Z
-        created: 2022-12-20T10:40:55.995Z
+        expires: 2025-11-18T13:28:02.597Z
+        created: 2024-11-18T13:28:02.597Z
   SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
     - '*':
         reason: >-
@@ -47,22 +38,4 @@ ignore:
           artifacts.
         expires: 2025-06-19T10:40:55.991Z
         created: 2022-12-20T10:40:55.995Z
-  SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135:
-    - '*':
-        reason: >-
-          Corda5 Shippable artifacts do not make use of dokka-core, which is
-          where this dependency originates, this is used at compile / build time
-          only for Kdoc generation and not shipped in any of our releasable
-          artifacts.
-        expires: 2025-11-19T10:40:55.991Z
-        created: 2023-03-20T13:28:02.597Z
-  SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538:
-    - '*':
-        reason: >-
-          Corda5 Shippable artifacts do not make use of dokka-core, which is
-          where this dependency originates, this is used at compile / build time
-          only for Kdoc generation and not shipped in any of our releasable
-          artifacts.
-        expires: 2025-11-18T13:28:02.597Z
-        created: 2024-11-18T13:28:02.597Z
 patch: {}
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaPipelineKubernetesAgent(
     runIntegrationTests: false,

diff --git a/...cation/scans/corda-application-5.2.1.yaml → ...cation/scans/corda-application-5.3.0.yaml b/...cation/scans/corda-application-5.2.1.yaml → ...cation/scans/corda-application-5.3.0.yaml
@@ -296,6 +296,39 @@ net.corda.v5.application.crypto.SigningService:
   extends: []
   interface: true
   methods:
+    decodePublicKey:
+      annotations:
+        - NotNull
+      default: false
+      type: public abstract
+      returnType: java.security.PublicKey
+      params:
+        encodedKey:
+          annotation:
+            - NotNull
+          type: String
+    encodeAsByteArray:
+      annotations:
+        - NotNull
+      default: false
+      type: public abstract
+      returnType: "byte[]"
+      params:
+        publicKey:
+          annotation:
+            - NotNull
+          type: java.security.PublicKey
+    encodeAsString:
+      annotations:
+        - NotNull
+      default: false
+      type: public abstract
+      returnType: String
+      params:
+        publicKey:
+          annotation:
+            - NotNull
+          type: java.security.PublicKey
     findMySigningKeys:
       annotations:
         - Suspendable

diff --git a/application/src/main/java/net/corda/v5/application/crypto/SigningService.java b/application/src/main/java/net/corda/v5/application/crypto/SigningService.java
@@ -57,4 +57,40 @@ public interface SigningService {
     @Suspendable
     @NotNull
     Map<PublicKey, PublicKey> findMySigningKeys(@NotNull Set<PublicKey> keys);
+
+    /**
+     * Deserializes a {@link PublicKey} from a {@code byte} array.
+     *
+     * @param encodedKey The public key represented as a {@code byte} array.
+     * @return An instance of {@link PublicKey} constructed from the encoded key.
+     */
+    @NotNull
+    PublicKey decodePublicKey(@NotNull byte[] encodedKey);
+
+    /**
+     * Deserializes a {@link PublicKey} from a {@link String}.
+     *
+     * @param encodedKey The public key represented as a PEM encoded {@link String}.
+     * @return An instance of {@link PublicKey} constructed from the encoded key.
+     */
+    @NotNull
+    PublicKey decodePublicKey(@NotNull String encodedKey);
+
+    /**
+     * Serializes a {@link PublicKey} into a byte array.
+     *
+     * @param publicKey The {@link PublicKey} to be encoded.
+     * @return A {@code byte} array representation of the public key.
+     */
+    @NotNull
+    byte[] encodeAsByteArray(@NotNull PublicKey publicKey);
+
+    /**
+     * Serializes a {@link PublicKey} into a PEM encoded String.
+     *
+     * @param publicKey The {@link PublicKey} to be encoded.
+     * @return A hex encoded {@link String} representation of the public key.
+     */
+    @NotNull
+    String encodeAsString(@NotNull PublicKey publicKey);
 }