Static code analysis

.github/workflows/main.yml

@@ -0,0 +1,59 @@
+name: Build
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-18.04
+    env:
+      SONAR_SCANNER_VERSION: 4.7.0.2747
+      SONAR_SERVER_URL: "https://sonarcloud.io"
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Download and set up sonar-scanner
+        env:
+          SONAR_SCANNER_DOWNLOAD_URL: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip
+        run: |
+          mkdir -p $HOME/.sonar
+          curl -sSLo $HOME/.sonar/sonar-scanner.zip ${{ env.SONAR_SCANNER_DOWNLOAD_URL }}
+          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+          echo "$HOME/.sonar/sonar-scanner-${{ env.SONAR_SCANNER_VERSION }}-linux/bin" >> $GITHUB_PATH
+      - name: Download and set up build-wrapper
+        env:
+          BUILD_WRAPPER_DOWNLOAD_URL: ${{ env.SONAR_SERVER_URL }}/static/cpp/build-wrapper-linux-x86.zip
+        run: |
+          curl -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip ${{ env.BUILD_WRAPPER_DOWNLOAD_URL }}
+          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
+          echo "$HOME/.sonar/build-wrapper-linux-x86" >> $GITHUB_PATH
+      - name: Run build-wrapper
+        run: |
+          mkdir v8build
+          cd v8build
+          wget https://github.com/MultiChain/multichain-binaries/raw/master/linux-v8.tar.gz
+          tar -xf linux-v8.tar.gz
+          cd ..
+          sudo apt-get install -y software-properties-common
+          sudo apt-get install -y build-essential libtool autotools-dev automake pkg-config libssl-dev git
+          sudo apt-get -y install libdb++-dev
+          sudo apt-get -y install libboost-all-dev
+          ./autogen.sh
+          # configure: error: Found Berkeley DB other than 4.8, required for portable wallets (--with-incompatible-bdb to ignore or --disable-wallet to disable wallet functionality)
+          ./configure --with-incompatible-bdb
+          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make          
+      - name: Run sonar-scanner
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"

README.md

@@ -1,6 +1,9 @@
 MultiChain
 ==========
 
+[![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=cetic_multichain&metric=security_rating)](https://sonarcloud.io/summary/new_code?id=cetic_multichain)
+[![Vulnerabilities](https://sonarcloud.io/api/project_badges/measure?project=cetic_multichain&metric=vulnerabilities)](https://sonarcloud.io/summary/new_code?id=cetic_multichain)
+
 [MultiChain](http://www.multichain.com/) is an open source platform for private blockchains, which offers a rich set of features including extensive configurability, rapid deployment, permissions management, native assets and data streams. Although it is designed to enable private blockchains, MultiChain provides maximal compatibility with the bitcoin ecosystem, including the peer-to-peer protocol, transaction/block formats and [Bitcoin Core](https://bitcoin.org/en/bitcoin-core/) APIs/runtime parameters.
 
     Copyright (c) 2014-2019 Coin Sciences Ltd

security/README.md

@@ -0,0 +1,36 @@
+# Security
+
+## 1. SonarCloud - Static Code Analysis
+
+A [SonarCloud](https://sonarcloud.io/) analysis has been run against a fork of the [MultiChain](https://github.com/MultiChain/multichain) repo inside a [Github Action](/.github/workflows/main.yml).
+
+![Sonarcloud - Summary](img/sonar_summary.png)
+
+### 1.1. Vulnerabilities
+
+The scan identified 1 vulnerability occuring 3 times in [src/wallet/crypter.cpp](/src/wallet/crypter.cpp), [RSPEC-5542](https://rules.sonarsource.com/c/RSPEC-5542)
+
+![SonarCloud - Vulnerabilities](img/sonar_vulnerabilities.png)
+
+### 1.2. Security Hotspots
+
+The security review identified 451 security hotspots:
+
+#### "High" in the "Buffer Overflow" category:
+
+* [cpp:S5801](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS5801&rule_key=cpp%3AS5801): Using "strcpy" or "wcscpy" is security-sensitive
+* [cpp:S5816](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS5816&rule_key=cpp%3AS5816): Using "strncpy" or "wcsncpy" is security-sensitive
+* [cpp:S6069](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS6069&rule_key=cpp%3AS6069): "sprintf" should not be used
+* [cpp:S5813](https://sonarcloud.io/organizations/cetic/rules?open=cpp%3AS5813&rule_key=cpp%3AS5813): Using "strlen" or "wcslen" is security-sensitive
+
+![SonarCloud - Security hotspots](img/sonar_securityhotspot.png)
+
+#### "Medium" - Permissions:
+![SonarCloud - Security hotspots](img/sonar_securityhotspot_med_perms.png)
+
+
+#### "Medium" - Weak Cryptography:
+![SonarCloud - Security hotspots](img/sonar_securityhotspot_med.png)
+
+
+Full results are available at https://sonarcloud.io/project/configuration?id=cetic_multichain&analysisMode=GitHubActions 

sonar-project.properties

@@ -0,0 +1,12 @@
+sonar.projectKey=cetic_multichain
+sonar.organization=cetic
+
+# This is the name and version displayed in the SonarCloud UI.
+#sonar.projectName=multichain
+#sonar.projectVersion=1.0
+
+# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
+#sonar.sources=.
+
+# Encoding of the source code. Default is default system encoding
+#sonar.sourceEncoding=UTF-8