OWASP Dependency Checker has been updated so that it can be configured to automatically fail a build when a vulnerable dependency is detected. This option is exposed through gradle settings, so that a build can be configured in TeamCity to pass/fail. This change is backward-compatible - i.e. it does not affect a build by default unless configured to do so.
Ability to fail a build is exposed by the new owasp.failBuildOnCVSS gradle property
By default this is set to '11.0' which will always pass a build even if a vulnerability is found (so will not affect anything by default)
Reduce the CVSS level between 0-10 to indicate what level to fail a build on
Example usage to catch Medium severity (and above) issues:
Configure gradle with the option -Powasp.failBuildOnCVSS=4
Temporally treating META-INF/INDEX.LIST as unsignable entry because java.util.jar.JarVerifier doesn't load its signers. https://r3-cev.atlassian.net/browse/CORDA-2177 for further investigation.
* Switch to directory per test and suppress deletion exception on windows
to deal with the fact that NTFS keeps files locked to the running process
once opened.
* Closing files when we're done makes all the file locking issues go away.
* Introduce public subset of config to tweak config via mock net work without exposing internal node config.
* Removal of functions exposing (internal) NodeConfiguration from the public test API
* Code review fixes
* Blank lines removed
* Documented mock network API change in upgrade notes.
* Updated documentation and API doc.
* More documentation/API doc
- Make issuableCurrencies config optional
- Allow additionalCordapps to override cordappsForAllNodes
In driver DSL when passing additionalCordapps to startNode and
one of the CordApps is also in cordappsForAllNodes will lead to confilc.
This commit is resolving the conflict by using the CordApp provided
by additionalCordapps
* Migrated all non-BFT notary implementations to use async commits.
* Mock network: await for async operation completion. When calling runNetwork()
it keeps "pumping" messages between participants until no more messages are generated.
The problem comes in when a flow suspends on an async operation: the mock network
thinks the flow finished the work for the current step, and since no more messages
are generated, completes the runNetwork() function. The message that the flow
generates once it resumes after async operation completion never gets processed.
This change makes runNetwork() wait until all flow async operations finish,
and only then check whether no more messages can be transferred.
Note about database considerations regarding Cordapp compatibility between OS and ENT.
Remove database configuration "schema" as this is not implemented in OS, it was already mentioned as ignored for SQL server.
* CORDA-2112 Update the `uploader` field upon Node startup for CorDapps where an Attachment is already in a nodes attachment store (from an untrusted source).
* Removed incorrect assertion.
* Fix broken unit test.
* Reverted back throw FileAlreadyExistsException API semantics on public API.
* De-duplicate DuplicateAttachmentException
* Revert original Exception handling logic.
* Remove most contentious bit of mutex in the codebase
Fix up SerializerFactory
Make getSerializerFactory() non-blocking
Workaround for DJVM issues
* Some clean up and also de-contend the RPC client.
* Fix up attachment class loader code.
* Bug fix
By default Cordaps build by corda-gradle-plugins are signed by Corda development key.
In dev mode any key can be used to sign Cordapp JAR .
In production node Corda dev keys were forbidden. This code change allows to opt-out by setting node option cordappSignerKeyFingerprintBlacklist=[] or specify more public keys to blacklist.
The option is used in production only mode.
* Don't transform java.Object[] to sandbox.Object[] because an array is still java.Object inside the sandbox.
* Add extra test for sandboxing an array of int[].
* Ensure hashCode() is deterministic for Java arrays.
* Remove some information about DJVM from some exception stack traces.