Update tool versions and dependencies

- Remove several unnecessary dependencies from Java package. - Update Makefile to latest toolchain and to work on Arm64 Mac. - Add security vulnerability scan. Signed-off-by: Mark S. Lewis <Mark.S.Lewis@outlook.com>
hyperledger · Jun 20, 2023 · 15b440c · 15b440c
1 parent a319cef
commit 15b440c
Show file tree

Hide file tree

Showing 8 changed files with 1,739 additions and 230 deletions.
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -0,0 +1,52 @@
+name: "Security vulnerability scan"
+
+on:
+  schedule:
+    - cron: "20 02 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+env:
+  GO_VERSION: '1.20'
+
+jobs:
+  go:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          check-latest: true
+      - name: Scan
+        run: make scan-go
+
+  node:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Scan
+        run: make scan-node
+
+  java:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v4
+        with:
+          go-version: ${{ env.GO_VERSION }}
+      - uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: temurin
+          cache: maven
+      - name: Scan
+        run: make scan-java
diff --git a/Makefile b/Makefile
@@ -25,20 +25,21 @@ HTTPS_GIT := https://github.com/hyperledger/fabric-protos.git
 SSH_GIT := ssh://git@github.com/hyperledger/fabric-protos.git
 
 # This controls the version of buf to install and use.
-BUF_VERSION := 1.1.1
+BUF_VERSION := 1.20.0
 # If true, Buf is installed from source instead of from releases
 BUF_INSTALL_FROM_SOURCE := false
 
-PROTOC_VERSION := 3.19.4
+PROTOC_VERSION := 23.2
 PROTOC_GEN_DOC_VERSION := 1.5.1
-PROTOC_GEN_GO_VERSION := 1.28.0
-PROTOC_GEN_GO_GRPC_VERSION := 1.2.0
-PROTOC_GEN_GRPC_JAVA_VERSION := 1.45.1
-GRPC_TOOLS_VERSION := 1.11.2
+PROTOC_GEN_GO_VERSION := 1.30.0
+PROTOC_GEN_GO_GRPC_VERSION := 1.3.0
+PROTOC_GEN_GRPC_JAVA_VERSION := 1.55.1
+PROTOC_GEN_JS_VERSION := 3.21.2
+GRPC_TOOLS_VERSION := 1.12.4
 TS_PROTOC_GEN_VERSION := 0.15.0
 
 # This is the commit hash for the https://github.com/googleapis/googleapis repo
-GRPC_STATUS_VERSION := 047d3a8ac7f75383855df0166144f891d7af08d9
+GRPC_STATUS_VERSION := f36c65081b19e0758ef5696feca27c7dcee5475e
 GRPC_STATUS_PROTO := google/rpc/status.proto
 
 ### Everything below this line is meant to be static, i.e. only adjust the above variables. ###
@@ -47,7 +48,11 @@ UNAME_OS := $(shell uname -s)
 UNAME_ARCH := $(shell uname -m)
 ifeq ($(UNAME_OS),Darwin)
 	PLATFORM := osx
-	PROTOC_ARCH := x86_64
+	ifeq ($(UNAME_ARCH),arm64)
+		PROTOC_ARCH := aarch_64
+	else
+		PROTOC_ARCH := x86_64
+	endif
 else
 	PROTOC_ARCH := $(UNAME_ARCH)
 endif
@@ -160,13 +165,32 @@ $(PROTOC_GEN_GRPC_JAVA):
 	@rm -f $(CACHE_BIN)/protoc-gen-grpc-java
 	@mkdir -p $(CACHE_BIN)
 	curl -sSL \
-		"https://repo1.maven.org/maven2/io/grpc/protoc-gen-grpc-java/$(PROTOC_GEN_GRPC_JAVA_VERSION)/protoc-gen-grpc-java-$(PROTOC_GEN_GRPC_JAVA_VERSION)-$(PLATFORM)-$(UNAME_ARCH).exe" \
+		"https://repo1.maven.org/maven2/io/grpc/protoc-gen-grpc-java/$(PROTOC_GEN_GRPC_JAVA_VERSION)/protoc-gen-grpc-java-$(PROTOC_GEN_GRPC_JAVA_VERSION)-$(PLATFORM)-$(PROTOC_ARCH).exe" \
 		-o "$(CACHE_BIN)/protoc-gen-grpc-java"
 	chmod +x "$(CACHE_BIN)/protoc-gen-grpc-java"
 	@rm -rf $(dir $(PROTOC_GEN_GRPC_JAVA))
 	@mkdir -p $(dir $(PROTOC_GEN_GRPC_JAVA))
 	@touch $(PROTOC_GEN_GRPC_JAVA)
 
+# PROTOC_GEN_JS points to the marker file for the installed version.
+#
+# If PROTOC_GEN_JS_VERSION is changed, the binary will be re-downloaded.
+PROTOC_GEN_JS := $(CACHE_VERSIONS)/protoc-gen-js/$(PROTOC_GEN_JS_VERSION)
+$(PROTOC_GEN_JS):
+	@rm -f $(CACHE_BIN)/protoc-gen-js
+	@mkdir -p $(CACHE_BIN)
+	$(eval PROTOC_GEN_JS_TMP := $(shell mktemp -d))
+	curl -sSL \
+		"https://github.com/protocolbuffers/protobuf-javascript/releases/download/v$(PROTOC_GEN_JS_VERSION)/protobuf-javascript-$(PROTOC_GEN_JS_VERSION)-$(PLATFORM)-$(PROTOC_ARCH).tar.gz" \
+		-o "$(PROTOC_GEN_JS_TMP)/protobuf-javascript.tar.gz"
+	tar xf "$(PROTOC_GEN_JS_TMP)/protobuf-javascript.tar.gz" -C "$(PROTOC_GEN_JS_TMP)" bin/protoc-gen-js
+	mv "$(PROTOC_GEN_JS_TMP)/bin/protoc-gen-js" "$(CACHE_BIN)"
+	chmod +x "$(CACHE_BIN)/protoc-gen-js"
+	@rm -rf $(PROTOC_GEN_JS_TMP)
+	@rm -rf $(dir $(PROTOC_GEN_JS))
+	@mkdir -p $(dir $(PROTOC_GEN_JS))
+	@touch $(PROTOC_GEN_JS)
+
 # GRPC_TOOLS points to the marker file for the installed version.
 #
 # If GRPC_TOOLS_VERSION is changed, the binary will be re-downloaded.
@@ -199,7 +223,7 @@ all: lint javabindings nodebindings
 # deps allows us to install deps without running any checks.
 
 .PHONY: deps
-deps: $(BUF) $(PROTOC) $(PROTOC_GEN_DOC) $(PROTOC_GEN_GO) $(PROTOC_GEN_GO_GRPC) $(PROTOC_GEN_GRPC_JAVA) $(GRPC_TOOLS) $(TS_PROTOC_GEN)
+deps: $(BUF) $(PROTOC) $(PROTOC_GEN_DOC) $(PROTOC_GEN_GO) $(PROTOC_GEN_GO_GRPC) $(PROTOC_GEN_GRPC_JAVA) $(PROTOC_GEN_JS) $(GRPC_TOOLS) $(TS_PROTOC_GEN)
 
 .PHONY: lint
 lint: https
@@ -236,7 +260,7 @@ $(GRPC_STATUS_PROTO):
 		-o "$(GRPC_STATUS_PROTO)"
 
 .PHONY: genprotos
-genprotos: $(BUF) $(PROTOC) $(PROTOC_GEN_DOC) $(PROTOC_GEN_GO) $(PROTOC_GEN_GO_GRPC) $(PROTOC_GEN_GRPC_JAVA) $(GRPC_TOOLS) $(TS_PROTOC_GEN) $(GRPC_STATUS_PROTO)
+genprotos: deps $(GRPC_STATUS_PROTO)
 	buf generate --template buf.gen.yaml
 
 .PHONY: javabindings
@@ -248,6 +272,24 @@ nodebindings: genprotos
 	./scripts/generate_node_indexes.sh bindings/node/src
 	cd bindings/node && npm ci && npm run compile
 
+.PHONY: scan
+scan: scan-go scan-java scan-node
+
+.PHONY: scan-go
+scan-go: genprotos
+	go install golang.org/x/vuln/cmd/govulncheck@latest
+	cd bindings/go-apiv2 && govulncheck ./...
+
+.PHONY: scan-java
+scan-java: javabindings
+	go install github.com/google/osv-scanner/cmd/osv-scanner@latest
+	cd bindings/java && mvn --activate-profiles sbom -DskipTests install
+	osv-scanner --sbom=bindings/java/target/bom.json
+
+.PHONY: scan-node
+scan-node:
+	cd bindings/node && npm ci && npm audit --omit=dev
+
 # clean deletes any files not checked in and the cache for all platforms.
 
 .PHONY: clean

diff --git a/bindings/go-apiv2/go.mod b/bindings/go-apiv2/go.mod
@@ -3,14 +3,14 @@ module github.com/hyperledger/fabric-protos-go-apiv2
 go 1.17
 
 require (
-	google.golang.org/grpc v1.46.2
-	google.golang.org/protobuf v1.28.0
+	google.golang.org/grpc v1.55.0
+	google.golang.org/protobuf v1.30.0
 )
 
 require (
-	github.com/golang/protobuf v1.5.2 // indirect
-	golang.org/x/net v0.0.0-20201021035429-f5854403a974 // indirect
-	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 // indirect
-	golang.org/x/text v0.3.3 // indirect
-	google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	golang.org/x/net v0.10.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20230530153820-e85fd2cbaebc // indirect
 )