From aa0963bc766235fd5ad3f52e96815bce17dc1296 Mon Sep 17 00:00:00 2001
From: Adel El-Beik <adel.el-beik@r3.com>
Date: Thu, 16 Jun 2022 18:01:32 +0100
Subject: [PATCH 01/12] ENT-6858: In our Corda BC provider add support for
 Signature.Ed25519 using our own X509EdDSAEngine. Needed so that we can
 upgrade BC in ENT.

---
 .../main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt    | 1 +
 1 file changed, 1 insertion(+)

diff --git a/core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt b/core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt
index 0523b00cba..7133ea82fd 100644
--- a/core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt
+++ b/core/src/main/kotlin/net/corda/core/crypto/internal/ProviderMap.kt
@@ -33,6 +33,7 @@ val cordaBouncyCastleProvider = BouncyCastleProvider().apply {
     putAll(EdDSASecurityProvider())
     // Override the normal EdDSA engine with one which can handle X509 keys.
     put("Signature.${EdDSAEngine.SIGNATURE_ALGORITHM}", X509EdDSAEngine::class.java.name)
+    put("Signature.Ed25519", X509EdDSAEngine::class.java.name)
     addKeyInfoConverter(`id-Curve25519ph`, object : AsymmetricKeyInfoConverter {
         override fun generatePublic(keyInfo: SubjectPublicKeyInfo) = decodePublicKey(EDDSA_ED25519_SHA512, keyInfo.encoded)
         override fun generatePrivate(keyInfo: PrivateKeyInfo) = decodePrivateKey(EDDSA_ED25519_SHA512, keyInfo.encoded)

From 872a81617ae69d68b4b35dc6861b3b23a5f83718 Mon Sep 17 00:00:00 2001
From: Adel El-Beik <adel.el-beik@r3.com>
Date: Wed, 22 Jun 2022 14:35:54 +0100
Subject: [PATCH 02/12] ENT-6858: Updated bouncy castle to 1.68 to match 4.5.

---
 constants.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/constants.properties b/constants.properties
index 2ed3714aec..b762c75822 100644
--- a/constants.properties
+++ b/constants.properties
@@ -20,7 +20,7 @@ quasarClassifier=jdk8
 quasarVersion11=0.8.0_r3
 jdkClassifier11=jdk11
 proguardVersion=6.1.1
-bouncycastleVersion=1.66
+bouncycastleVersion=1.68
 classgraphVersion=4.8.78
 disruptorVersion=3.4.2
 typesafeConfigVersion=1.3.4

From 000019b65cd98d358d51681899f7711756d1ac07 Mon Sep 17 00:00:00 2001
From: Adel El-Beik <adel.el-beik@r3.com>
Date: Tue, 28 Jun 2022 10:48:27 +0100
Subject: [PATCH 03/12] ENT-6865: Bumped quasar version for compatibility with
 ENT.

---
 constants.properties | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/constants.properties b/constants.properties
index b762c75822..9172f545a1 100644
--- a/constants.properties
+++ b/constants.properties
@@ -14,8 +14,7 @@ java8MinUpdateVersion=171
 platformVersion=6
 guavaVersion=28.0-jre
 # Quasar version to use with Java 8:
-quasarVersion=0.7.12_r3
-quasarClassifier=jdk8
+quasarVersion=0.7.15_r3
 # Quasar version to use with Java 11:
 quasarVersion11=0.8.0_r3
 jdkClassifier11=jdk11

From d669d39e6401040d8ce0bc8ee0c5d5a1353fa576 Mon Sep 17 00:00:00 2001
From: ronanbrowne88 <ronan.browne@r3.com>
Date: Sun, 10 Jul 2022 19:33:37 +0100
Subject: [PATCH 04/12] INFRA-1805 add snyk scanning to corda os 4.4

---
 .ci/dev/regression/Jenkinsfile | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 75e6782014..e2c4a4b6ca 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -81,6 +81,7 @@ pipeline {
         CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
         DOCKER_URL = "https://index.docker.io/v1/"
         EMAIL_RECIPIENTS = credentials('corda4-email-recipient')
+        SNYK_API_KEY = "c4-os-snyk"
     }
 
     stages {
@@ -189,6 +190,15 @@ pipeline {
             }
         }
 
+        stage('Snyk Security') {
+            when {
+                expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
+            }
+            steps {
+                snykSecurityScan("${env.SNYK_API_KEY}", "--all-sub-projects --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+            }
+        }
+
         stage('All Tests') {
             when {
                 expression { params.DO_TEST }

From e35b755546e10dc070563f99faeafd826a312a2e Mon Sep 17 00:00:00 2001
From: ronanbrowne88 <ronan.browne@r3.com>
Date: Mon, 11 Jul 2022 22:01:25 +0100
Subject: [PATCH 05/12] CORE-4769 add snyk scan open source 4.4

---
 .ci/dev/regression/Jenkinsfile | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index e2c4a4b6ca..cdb3a5cc44 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -442,11 +442,17 @@ pipeline {
         success {
         	script {
         		sendSlackNotifications("good", "BUILD PASSED", false, "#corda-corda4-open-source-build-notifications")
+                if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
+                    snykSecurityScan.generateHtmlElements()
+                }
         	}
         }
         unstable {
         	script {
         		sendSlackNotifications("warning", "BUILD UNSTABLE - Unstable Builds are likely a result of Nexus Sonar Scanner violations", false, "#corda-corda4-open-source-build-notifications")
+                if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
+                    snykSecurityScan.generateHtmlElements()
+                }
         	}
         }
         failure {

From 6f32d3d36993e67b920cd3e124c22047e2fb8f0f Mon Sep 17 00:00:00 2001
From: Jan Szkaradek <js7656@gmail.com>
Date: Fri, 2 Sep 2022 13:17:53 +0100
Subject: [PATCH 06/12] added modules for snyk scanning (#7231)

---
 .ci/dev/regression/Jenkinsfile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index cdb3a5cc44..20a3f4bd78 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -195,7 +195,13 @@ pipeline {
                 expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
             }
             steps {
-                snykSecurityScan("${env.SNYK_API_KEY}", "--all-sub-projects --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+                script {
+                    // Invoke Snyk for each Gradle sub project we wish to scan
+                    def modulesToScan = ['node', 'capsule', 'bridge', 'bridgecapsule']
+                    modulesToScan.each { module ->
+                        snykSecurityScan("${env.SNYK_API_KEY}", "--sub-project=$module --configuration-matching='^runtimeClasspath\$' --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
+                    }
+                }
             }
         }
 

From 5e10aa40c9d1a8f2132e1fcd7458c24511418abd Mon Sep 17 00:00:00 2001
From: Connel McGovern <connel.mcgovern@r3.com>
Date: Tue, 14 Mar 2023 11:37:44 +0000
Subject: [PATCH 07/12] INFRA-1957 - [C4 Automation] Enure snyk scans run
 nightly on C4 projects - Corda OS (Community)

---
 .ci/dev/nightly-regression/JenkinsfileSnykScan | 7 +++++++
 1 file changed, 7 insertions(+)
 create mode 100644 .ci/dev/nightly-regression/JenkinsfileSnykScan

diff --git a/.ci/dev/nightly-regression/JenkinsfileSnykScan b/.ci/dev/nightly-regression/JenkinsfileSnykScan
new file mode 100644
index 0000000000..2a2a4788b5
--- /dev/null
+++ b/.ci/dev/nightly-regression/JenkinsfileSnykScan
@@ -0,0 +1,7 @@
+@Library('corda-shared-build-pipeline-steps')
+
+cordaSnykScanPipeline (
+    snykTokenId: 'c4-os-snyk-api-token-secret',
+    // specify the Gradle submodules to scan and monitor on snyk Server
+    modulesToScan: ['node', 'capsule', 'bridge', 'bridgecapsule']
+)

From 9a4ea9c65285e303f4e7f8fa7be2089523216c19 Mon Sep 17 00:00:00 2001
From: Connel McGovern <connel.mcgovern@r3.com>
Date: Tue, 14 Mar 2023 11:41:20 +0000
Subject: [PATCH 08/12] INFRA-2038 - Remove Nexus dependency from C4 Community
 builds

---
 .ci/dev/regression/Jenkinsfile | 116 +--------------------------------
 1 file changed, 1 insertion(+), 115 deletions(-)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 20a3f4bd78..ebd1be92e1 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -14,34 +14,6 @@ boolean isInternalRelease = (env.TAG_NAME =~ /^internal-release-.*$/)
 boolean isReleaseCandidate = (env.TAG_NAME =~ /^(release-.*(RC|HC).*(?<!_JDK11))$/)
 boolean isReleasePatch = (env.TAG_NAME =~ /^release.*([1-9]\d*|0)(\.([1-9]\d*|0)){2}$/)
 
-/*
-** calculate the stage for NexusIQ evaluation
-**  * build for snapshots
-**  * stage-release:  for release candidates and for health checks
-**  * release: for GA release
-*/
-def nexusDefaultIqStage = "build"
-if (isReleaseTag) {
-    switch (env.TAG_NAME) {
-        case ~/.*-RC\d+(-.*)?/: nexusDefaultIqStage = "stage-release"; break;
-        case ~/.*-HC\d+(-.*)?/: nexusDefaultIqStage = "stage-release"; break;
-        default: nexusDefaultIqStage = "release"
-    }
-}
-
-/**
- * make sure calculated default value of NexusIQ stage is first in the list
- * thus making it default for the `choice` parameter
- */
-def nexusIqStageChoices = [nexusDefaultIqStage].plus(
-                [
-                        'develop',
-                        'build',
-                        'stage-release',
-                        'release',
-                        'operate'
-                ].minus([nexusDefaultIqStage]))
-
 /**
  * Common Gradle arguments for all Gradle executions
  */
@@ -67,7 +39,6 @@ pipeline {
     }
 
     parameters {
-        choice choices: nexusIqStageChoices, description: 'NexusIQ stage for code evaluation', name: 'nexusIqStage'
         booleanParam defaultValue: true, description: 'Run tests during this build?', name: 'DO_TEST'
     }
 
@@ -104,91 +75,6 @@ pipeline {
                 stash name: 'compiled', useDefaultExcludes: false
             }
         }
-        stage('Sonatype Check') {
-            steps {
-                script {
-                    sh "./gradlew --no-daemon properties | grep -E '^(version|group):' >version-properties"
-                    /* every build related to Corda X.Y (GA, RC, HC, patch or snapshot) uses the same NexusIQ application */
-                    def version = sh (returnStdout: true, script: "grep ^version: version-properties | sed -e 's/^version: \\([0-9]\\+\\(\\.[0-9]\\+\\)\\+\\).*\$/\\1/'").trim()
-                    def groupId = sh (returnStdout: true, script: "grep ^group: version-properties | sed -e 's/^group: //'").trim()
-                    def artifactId = 'corda'
-                    nexusAppId = "${groupId}-${artifactId}-${version}"
-                }
-                nexusPolicyEvaluation (
-                        failBuildOnNetworkError: false,
-                        iqApplication: selectedApplication(nexusAppId), // application *has* to exist before a build starts!
-                        iqScanPatterns: [[scanPattern: 'node/capsule/build/libs/corda*.jar']],
-                        iqStage: params.nexusIqStage
-                )
-            }
-        }
-        stage('Generate Wiki Report') {
-            when {
-                expression { isReleaseTag && !isInternalRelease && !isReleaseCandidate }
-                beforeAgent true
-            }
-            agent {
-                docker {
-                    image 'nexusiq-sonatype-cli:latest'
-                    reuseNode true
-                    registryUrl 'https://engineering-docker.software.r3.com/'
-                    registryCredentialsId 'artifactory-credentials'
-                }
-            }
-            options {
-                retry(3)
-            }
-            environment {
-                NEXUS_APP_ID="${nexusAppId}"
-                NEXUS_APP_STAGE="${params.nexusIqStage}"
-                NEXUSIQ_CREDENTIALS = credentials('jenkins-nexusiq-credentials')
-            }
-            steps {
-                sh '''\
-                    rm -f wiki-report.md
-                    env NEXUSIQ_USERNAME="${NEXUSIQ_CREDENTIALS_USR}" \
-                        NEXUSIQ_PASSWORD="${NEXUSIQ_CREDENTIALS_PSW}" \
-                            /opt/app/wrapper wiki-report \
-                                --app "${NEXUS_APP_ID}" \
-                                --stage "${NEXUS_APP_STAGE}" >wiki-report.md
-                '''.stripIndent()
-                archiveArtifacts 'wiki-report.md'
-            }
-        }
-        stage('Generate Licence Report') {
-            when {
-                expression { isReleaseTag && !isInternalRelease && !isReleaseCandidate }
-                beforeAgent true
-            }
-            agent {
-                docker {
-                    image 'nexusiq-licence-report:latest'
-                    reuseNode true
-                    registryUrl 'https://engineering-docker.software.r3.com/'
-                    registryCredentialsId 'artifactory-credentials'
-                }
-            }
-            options {
-                retry(3)
-            }
-            environment {
-                NEXUS_APP_ID="${nexusAppId}"
-                NEXUS_APP_STAGE="${params.nexusIqStage}"
-                NEXUSIQ_CREDENTIALS = credentials('jenkins-nexusiq-credentials')
-            }
-            steps {
-                sh '''\
-                    rm -rf report
-                    env NEXUSIQ_USERNAME="${NEXUSIQ_CREDENTIALS_USR}" \
-                        NEXUSIQ_PASSWORD="${NEXUSIQ_CREDENTIALS_PSW}" \
-                            /opt/app/wrapper --write --outdir report \
-                                --force \
-                                --app "${NEXUS_APP_ID}" \
-                                --stage "${NEXUS_APP_STAGE}"
-                '''.stripIndent()
-                archiveArtifacts 'report/*.md'
-            }
-        }
 
         stage('Snyk Security') {
             when {
@@ -455,7 +341,7 @@ pipeline {
         }
         unstable {
         	script {
-        		sendSlackNotifications("warning", "BUILD UNSTABLE - Unstable Builds are likely a result of Nexus Sonar Scanner violations", false, "#corda-corda4-open-source-build-notifications")
+        		sendSlackNotifications("warning", "BUILD UNSTABLE", false, "#corda-corda4-open-source-build-notifications")
                 if (isReleaseTag || isReleaseCandidate || isReleaseBranch) {
                     snykSecurityScan.generateHtmlElements()
                 }

From 5c68bc89e27b6a23adeabd8f1aafcc5cfeba151f Mon Sep 17 00:00:00 2001
From: Connel McGovern <connel.mcgovern@r3.com>
Date: Tue, 14 Mar 2023 11:51:14 +0000
Subject: [PATCH 09/12] INFRA-2014 - Appy licence generation to C4 Community
 tag builds

---
 .ci/dev/regression/Jenkinsfile | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index ebd1be92e1..7115e783a7 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -52,7 +52,9 @@ pipeline {
         CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
         DOCKER_URL = "https://index.docker.io/v1/"
         EMAIL_RECIPIENTS = credentials('corda4-email-recipient')
-        SNYK_API_KEY = "c4-os-snyk"
+        SNYK_API_KEY = "c4-os-snyk" //Jenkins credential type: Snyk Api token
+        SNYK_API_TOKEN = credentials('c4-os-snyk-api-token-secret') //Jenkins credential type: Secret text
+        C4_OS_SNYK_ORG_ID = credentials('corda4-os-snyk-org-id')
     }
 
     stages {
@@ -91,6 +93,22 @@ pipeline {
             }
         }
 
+        stage('Generate Snyk License Report') {
+            when {
+                expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
+            }
+            steps {
+                snykLicenseGeneration(env.SNYK_API_TOKEN, env.C4_OS_SNYK_ORG_ID)
+            }
+            post {
+                always {
+                    script {
+                        archiveArtifacts artifacts: 'snyk-license-report/*-snyk-license-report.html', allowEmptyArchive: true, fingerprint: true
+                    }
+                }
+            }
+        }
+
         stage('All Tests') {
             when {
                 expression { params.DO_TEST }

From 3180962640ed9e6ff8802c07adf4b3e19caee4d6 Mon Sep 17 00:00:00 2001
From: Connel McGovern <connel.mcgovern@r3.com>
Date: Tue, 14 Mar 2023 11:52:55 +0000
Subject: [PATCH 10/12] INFRA-1919 - [C4 Automation] The output of the Git log
 between the RCs

---
 .ci/dev/regression/Jenkinsfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 7115e783a7..7aa8aac1d0 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -5,6 +5,10 @@
  */
 @Library('corda-shared-build-pipeline-steps')
 
+import com.r3.build.utils.GitUtils
+
+GitUtils gitUtils = new GitUtils(this)
+
 /**
  * Sense environment
  */
@@ -295,6 +299,9 @@ pipeline {
     post {
         always {
             script {
+                if (gitUtils.isReleaseTag()) {
+                    gitUtils.getGitLog(env.TAG_NAME, env.GIT_URL.replace('https://github.com/corda/', ''), scm.userRemoteConfigs[0].credentialsId)
+                }
                 try {
                     if (params.DO_TEST) {
                         unstash 'allure-input'

From 81b694f40a364f42870f7033fc9539d05870962a Mon Sep 17 00:00:00 2001
From: Connel McGovern <connel.mcgovern@r3.com>
Date: Tue, 14 Mar 2023 11:53:46 +0000
Subject: [PATCH 11/12] INFRA-1804 - Use use latest AMI with snyk binaries

---
 .ci/dev/regression/Jenkinsfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 7aa8aac1d0..4b2f5274a9 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -30,7 +30,7 @@ String COMMON_GRADLE_PARAMS = [
 ].join(' ')
 
 pipeline {
-    agent { label 'standard' }
+    agent { label 'standard-latest-ami' }
 
     /*
      * List options in alphabetical order

From 1dbd5147e5196afce2e0cd373356628d1bf02510 Mon Sep 17 00:00:00 2001
From: Connel McGovern <connel.mcgovern@r3.com>
Date: Tue, 14 Mar 2023 14:47:42 +0000
Subject: [PATCH 12/12] INFRA-1955: Remove duplicate 'Snyk Security' stage

---
 .ci/dev/regression/Jenkinsfile | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/.ci/dev/regression/Jenkinsfile b/.ci/dev/regression/Jenkinsfile
index 3b1f8e2062..5421c21225 100644
--- a/.ci/dev/regression/Jenkinsfile
+++ b/.ci/dev/regression/Jenkinsfile
@@ -113,21 +113,6 @@ pipeline {
             }
         }
 
-       stage('Snyk Security') {
-            when {
-                expression { isReleaseTag || isReleaseCandidate || isReleaseBranch }
-            }
-            steps {
-                script {
-                    // Invoke Snyk for each Gradle sub project we wish to scan
-                    def modulesToScan = ['node', 'capsule', 'bridge', 'bridgecapsule']
-                    modulesToScan.each { module ->
-                        snykSecurityScan("${env.SNYK_API_KEY}", "--sub-project=$module --configuration-matching='^runtimeClasspath\$' --prune-repeated-subdependencies --debug --target-reference='${env.BRANCH_NAME}' --project-tags=Branch='${env.BRANCH_NAME.replaceAll("[^0-9|a-z|A-Z]+","_")}'")
-                    }
-                }
-            }
-        }
-
         stage('All Tests') {
             when {
                 expression { params.DO_TEST }