Merge branch 'release/os/5.3' into merge-release/os/5.2-release/os/5.…

…3-2024-06-27-152

.ci/JenkinsApiCompatibility

@@ -1,5 +1,5 @@
 // Check corda-api compatibility with downstream consumers which implement CordApps
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaApiCompatibilityCheck(
     javaVersion: '17'

.ci/JenkinsfileSnykDelta

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 snykDelta(
   snykOrgId: 'corda5-snyk-org-id',

.ci/JenkinsfileSonarCloud

@@ -0,0 +1,74 @@
+@Library('[email protected]') _
+
+import com.r3.build.agents.KubernetesAgent
+import com.r3.build.enums.BuildEnvironment
+import com.r3.build.enums.KubernetesCluster
+import com.r3.build.BuildConstants
+import com.r3.build.utils.GitUtils
+import com.r3.build.utils.SnykUtils
+
+KubernetesAgent k8s = new KubernetesAgent(
+        BuildEnvironment.AMD64_LINUX_JAVA17,
+        KubernetesCluster.JenkinsAgents,
+        1
+)
+
+GitUtils gitUtils = new GitUtils(this)
+SnykUtils snykUtils = new SnykUtils(this)
+
+pipeline {
+    agent {
+        kubernetes {
+            cloud k8s.buildCluster.cloudName
+            yaml k8s.JSON
+            yamlMergeStrategy merge() // important to keep tolerations from the inherited template
+            idleMinutes 15
+            podRetention always()
+            nodeSelector k8s.nodeSelector
+            label k8s.jenkinsLabel
+            showRawYaml true
+            defaultContainer k8s.defaultContainer.name
+        }
+    }
+
+    environment {
+        ARTIFACTORY_CREDENTIALS = credentials('artifactory-credentials')
+        CORDA_ARTIFACTORY_PASSWORD = "${env.ARTIFACTORY_CREDENTIALS_PSW}"
+        CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
+        BUILD_CACHE_CREDENTIALS = credentials('gradle-ent-cache-credentials')
+        BUILD_CACHE_PASSWORD = "${env.BUILD_CACHE_CREDENTIALS_PSW}"
+        BUILD_CACHE_USERNAME = "${env.BUILD_CACHE_CREDENTIALS_USR}"
+        CORDA_GRADLE_SCAN_KEY = credentials('gradle-build-scans-key')
+        GRADLE_USER_HOME = "/host_tmp/gradle"
+        SNYK_TOKEN = credentials("r3-snyk-corda5")
+        SNYK_ORG_ID = credentials("corda5-snyk-org-id")
+    }
+
+    options {
+        timestamps()
+    }
+
+    triggers {
+        cron (gitUtils.isReleaseBranch() ? '@midnight' : '')
+    }
+
+    stages {
+        stage('SonarQube analysis') {
+            when {
+                expression { return env.BRANCH_NAME == gitUtils.getDefaultBranch(gitUtils.getRepoName())}
+            }
+            steps {
+                withSonarQubeEnv('SonarCloud') {
+                    sh './gradlew sonar -Si'
+                }
+            }
+        }
+        stage('Snyk Code analysis') {
+            steps {
+                script {
+                    snykUtils.runSnykCode()
+                }
+            }
+        }
+    }
+}

.ci/dev/forward-merge/JenkinsInteropMerge

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 /*
  * Forward merge any changes in current branch to the branch with following version.

.ci/dev/forward-merge/JenkinsfileMergeAutomation

@@ -1,5 +1,5 @@
 #! groovy
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 /**
  * Forward merge any changes in current branch to the branch with following version.
@@ -14,13 +14,13 @@
  * the branch name of origin branch, it should match the current branch
  * and it acts as a fail-safe inside {@code forwardMerger} pipeline
  */
-String originBranch = 'release/os/5.2'
+String originBranch = 'release/os/5.3'
 
 /**
  * the branch name of target branch, it should be the branch with the next version
  * after the one in current branch.
  */
-String targetBranch = 'release/os/5.3'
+String targetBranch = 'release/os/5.4'
 
 /**
  * Forward merge any changes between {@code originBranch} and {@code targetBranch}

.ci/nightly/JenkinsfileNightly

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaPipelineKubernetesAgent(
     runIntegrationTests: false,

.ci/nightly/JenkinsfileSnykScan

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaSnykScanPipeline (
     snykTokenId: 'r3-snyk-corda5',

.ci/nightly/JenkinsfileWindowsCompatibility

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 windowsCompatibility(
     runIntegrationTests: false,

.github/CODEOWNERS

@@ -1,2 +1,18 @@
-# Code freeze reviewers
-* @driessamyn @jasonbyrner3 @ronanbrowne @rick-r3 @simon-johnson-r3 @blsemo @Omar-awad @aditisdesai @vinir3 @vkolomeyko @Sakpal @owenstanford @davidcurrie @conalsmith-r3
+# Build scripts and Jenkins files should be audited by BLT
+# Any changes to source code of corda-api to be reviewd by C5 team leads
+
+Jenkinsfile        @corda/infrastructure-release
+.ci/**             @corda/infrastructure-release
+
+gradle/wrapper     @corda/infrastructure-release
+*.toml             @corda/corda5-team-leads
+
+*.gradle           @corda/infrastructure-release
+gradle.properties  @corda/corda5-team-leads
+
+*.kt               @corda/corda5-team-leads
+*.java             @corda/corda5-team-leads
+
+**/scans/*.yaml    @corda/corda5-team-leads
+
+CODEOWNERS         @corda/infrastructure-release @corda/corda5-team-leads

.github/workflows/check-pr-title.yml

@@ -7,7 +7,7 @@ jobs:
   check-pr-title:
     runs-on: ubuntu-latest
     steps:
-      - uses: morrisoncole/pr-lint-action@v1.6.1
+      - uses: morrisoncole/pr-lint-action@v1.7.1
         with:
           title-regex: '^((CORDA|EG|ENT|INFRA|CORE|DOC|ES|DA5)-\d+)(.*)'
           on-failed-regex-comment: "PR title failed to match regex -> `%regex%`"

.github/workflows/remove-stale-branches.yml

@@ -8,7 +8,7 @@ jobs:
     name: Remove stale branches
     runs-on: ubuntu-latest
     steps:
-      - uses: fpicalausa/remove-stale-branches@v1.5.8
+      - uses: fpicalausa/remove-stale-branches@v2.0.1
         with:
           dry-run: false
           ignore-unknown-authors: true

.github/workflows/remove-stale-prs.yml

@@ -8,7 +8,7 @@ jobs:
     name: Remove stale PRs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v8.0.0
+      - uses: actions/stale@v9.0.0
         with:
           debug-only: false
           exempt-pr-labels: 'DO_NOT_CLOSE'

.snyk

@@ -2,58 +2,22 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
-  SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385:
-    - '*':
-        reason: >-
-          Gradle plugins use the version of Kotlin provided by Gradle itself, so
-          it is not susceptible to this vulnerability. In addition, this is a 
-          build-time vulnerability,  released artifacts are not affected due to
-          this.
-        expires: 2022-10-22T10:40:55.991Z
-        created: 2022-09-22T10:40:55.995Z
   SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
     - '*':
         reason: >-
           This vulnerability relates to information exposure via creation of
           temporary files via Kotlin functions with insecure permissions. Corda
           does not use any of the vulnerable functions so it not susceptible to
           this vulnerability.
-        expires: 2023-06-19T10:40:55.991Z
+        expires: 2024-08-27T10:40:55.991Z
         created: 2022-09-22T10:40:55.995Z
-  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
-    - '*':
-        reason: >-
-          Corda5 Shippable artifacts do not make use of dokka-core, which is
-          where this dependency originates, this is used at compile / build time
-          only for Kdoc generation and not shipped in any of our releasable
-          artifacts.
-        expires: 2023-06-19T10:40:55.991Z
-        created: 2022-12-20T10:40:55.995Z
-  SNYK-JAVA-ORGJSOUP-2989728:
-    - '*':
-        reason: >-
-          Corda5 Shippable artifacts do not make use of dokka-core, which is
-          where this dependency originates, this is used at compile / build time
-          only for Kdoc generation and not shipped in any of our releasable
-          artifacts.
-        expires: 2023-06-19T10:40:55.991Z
-        created: 2022-12-20T10:40:55.995Z
-  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
-    - '*':
-        reason: >-
-          Corda5 Shippable artifacts do not make use of dokka-core, which is
-          where this dependency originates, this is used at compile / build time
-          only for Kdoc generation and not shipped in any of our releasable
-          artifacts.
-        expires: 2023-06-19T10:40:55.991Z
-        created: 2022-12-20T10:40:55.995Z
   SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135:
     - '*':
         reason: >-
           Corda5 Shippable artifacts do not make use of dokka-core, which is
           where this dependency originates, this is used at compile / build time
           only for Kdoc generation and not shipped in any of our releasable
           artifacts.
-        expires: 2023-06-19T13:28:02.582Z
+        expires: 2024-08-27T13:28:02.582Z
         created: 2023-03-20T13:28:02.597Z
 patch: {}

Jenkinsfile

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaPipelineKubernetesAgent(
     runIntegrationTests: false,