From 1837f46080f4403ebe8bc85c3b1bb9cd1f1ab2d5 Mon Sep 17 00:00:00 2001 From: Chaminda Divitotawela Date: Fri, 14 Jun 2024 10:06:40 +1000 Subject: [PATCH 1/5] fix: pin github actions (#7228) Repository follow standard to use git hash to pin the GitHub actions. Updated the container security scan workflow actions with their git hashes Signed-off-by: Chaminda Divitotawela --- .github/workflows/container-security-scan.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml index e88689a06db..85065c828cc 100644 --- a/.github/workflows/container-security-scan.yml +++ b/.github/workflows/container-security-scan.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # Shell parameter expansion does not support directly on a step # Adding a separate step to set the image tag. This allows running @@ -31,7 +31,7 @@ jobs: - name: Vulnerability scanner id: trivy - uses: aquasecurity/trivy-action@0.22.0 + uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d with: image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }} format: sarif @@ -39,6 +39,6 @@ jobs: # Check the vulnerabilities via GitHub security tab - name: Upload results - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 with: sarif_file: 'trivy-results.sarif' From ad98f6d6edebaf2b6d464a9ee7977ad0ce20fba2 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Fri, 14 Jun 2024 14:11:28 +1000 Subject: [PATCH 2/5] Changelog download links for 24.6.0 release and next release changelog (#7230) Signed-off-by: Jason Frame --- CHANGELOG.md | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9cae8bb60b2..3724ed84a43 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,21 @@ # Changelog +## Next Release + +### Breaking Changes + +### Additions and Improvements +- Support for eth_maxPriorityFeePerGas [#5658](https://github.com/hyperledger/besu/issues/5658) +- Improve genesis state performance at startup [#6977](https://github.com/hyperledger/besu/pull/6977) +- Enable continuous profiling with default setting [#7006](https://github.com/hyperledger/besu/pull/7006) +- A full and up to date implementation of EOF for Prague [#7169](https://github.com/hyperledger/besu/pull/7169) +- Add Subnet-Based Peer Permissions. [#7168](https://github.com/hyperledger/besu/pull/7168) +- Reduce lock contention on transaction pool when building a block [#7180](https://github.com/hyperledger/besu/pull/7180) + +### Bug fixes +- Validation errors ignored in accounts-allowlist and empty list [#7138](https://github.com/hyperledger/besu/issues/7138) +- Fix "Invalid block detected" for BFT chains using Bonsai DB [#7204](https://github.com/hyperledger/besu/pull/7204) + ## 24.6.0 ### Breaking Changes @@ -13,26 +29,22 @@ - PKI-backed QBFT will be removed in a future version of Besu. Other forms of QBFT will remain unchanged. - --Xbonsai-limit-trie-logs-enabled is deprecated, use --bonsai-limit-trie-logs-enabled instead - --Xbonsai-trie-logs-pruning-window-size is deprecated, use --bonsai-trie-logs-pruning-window-size instead -- Receipt compaction will be enabled by default in a future version of Besu. After this change it will not be possible to downgrade to the previous Besu version. ### Additions and Improvements - Add two counters to DefaultBlockchain in order to be able to calculate TPS and Mgas/s [#7105](https://github.com/hyperledger/besu/pull/7105) -- Improve genesis state performance at startup [#6977](https://github.com/hyperledger/besu/pull/6977) - Enable --Xbonsai-limit-trie-logs-enabled by default, unless sync-mode=FULL [#7181](https://github.com/hyperledger/besu/pull/7181) - Promote experimental --Xbonsai-limit-trie-logs-enabled to production-ready, --bonsai-limit-trie-logs-enabled [#7192](https://github.com/hyperledger/besu/pull/7192) - Promote experimental --Xbonsai-trie-logs-pruning-window-size to production-ready, --bonsai-trie-logs-pruning-window-size [#7192](https://github.com/hyperledger/besu/pull/7192) - `admin_nodeInfo` JSON/RPC call returns the currently active EVM version [#7127](https://github.com/hyperledger/besu/pull/7127) - Improve the selection of the most profitable built block [#7174](https://github.com/hyperledger/besu/pull/7174) -- Support for eth_maxPriorityFeePerGas [#5658](https://github.com/hyperledger/besu/issues/5658) -- Enable continuous profiling with default setting [#7006](https://github.com/hyperledger/besu/pull/7006) -- A full and up to date implementation of EOF for Prague [#7169](https://github.com/hyperledger/besu/pull/7169) -- Add Subnet-Based Peer Permissions. [#7168](https://github.com/hyperledger/besu/pull/7168) -- Reduce lock contention on transaction pool when building a block [#7180](https://github.com/hyperledger/besu/pull/7180) ### Bug fixes - Make `eth_gasPrice` aware of the base fee market [#7102](https://github.com/hyperledger/besu/pull/7102) -- Validation errors ignored in accounts-allowlist and empty list [#7138](https://github.com/hyperledger/besu/issues/7138) -- Fix "Invalid block detected" for BFT chains using Bonsai DB [#7204](https://github.com/hyperledger/besu/pull/7204) + +### Download Links +https://github.com/hyperledger/besu/releases/tag/24.6.0 +https://github.com/hyperledger/besu/releases/download/24.6.0/besu-24.6.0.tar.gz / sha256 fa86e5c6873718cd568e3326151ce06957a5e7546b52df79a831ea9e39b857ab +https://github.com/hyperledger/besu/releases/download/24.6.0/besu-24.6.0.zip / sha256 8b2d3a674cd7ead68b9ca68fea21e46d5ec9b278bbadc73f8c13c6a1e1bc0e4d ## 24.5.2 From 529bd336fcf0a9f6c9b7c8d5dc9a698b2e4c40ab Mon Sep 17 00:00:00 2001 From: Chaminda Divitotawela Date: Fri, 14 Jun 2024 23:06:47 +1000 Subject: [PATCH 3/5] fix: update artifacts hash on release page (#7231) Release workflow publish step was missing the depepndency of artifacts jobs. Due to this reason it could not collect the artifact hashes from the artifacts job. This was introduced in the release workflow consolidation Signed-off-by: Chaminda Divitotawela --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 496691293dc..b1f8fb2fc5e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -79,7 +79,7 @@ jobs: publish: runs-on: ubuntu-22.04 - needs: [testWindows] + needs: [testWindows, artifacts] permissions: contents: write steps: From db9710b2aafde17ea850cde88c97779f66102eec Mon Sep 17 00:00:00 2001 From: Danno Ferrin Date: Sun, 16 Jun 2024 01:43:51 -0600 Subject: [PATCH 4/5] check initcode size earlier (#7233) Fail earlier with the initcode size check Signed-off-by: Danno Ferrin --- .../besu/evm/operation/AbstractCreateOperation.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/evm/src/main/java/org/hyperledger/besu/evm/operation/AbstractCreateOperation.java b/evm/src/main/java/org/hyperledger/besu/evm/operation/AbstractCreateOperation.java index a484f28ceb6..180eac27993 100644 --- a/evm/src/main/java/org/hyperledger/besu/evm/operation/AbstractCreateOperation.java +++ b/evm/src/main/java/org/hyperledger/besu/evm/operation/AbstractCreateOperation.java @@ -104,6 +104,11 @@ public OperationResult execute(final MessageFrame frame, final EVM evm) { Code code = codeSupplier.get(); + if (code != null && code.getSize() > maxInitcodeSize) { + frame.popStackItems(getStackItemsConsumed()); + return new OperationResult(cost, ExceptionalHaltReason.CODE_TOO_LARGE); + } + if (value.compareTo(account.getBalance()) > 0 || frame.getDepth() >= 1024 || account.getNonce() == -1 @@ -113,14 +118,9 @@ public OperationResult execute(final MessageFrame frame, final EVM evm) { } else { account.incrementNonce(); - if (code.getSize() > maxInitcodeSize) { - frame.popStackItems(getStackItemsConsumed()); - return new OperationResult(cost, ExceptionalHaltReason.CODE_TOO_LARGE); - } if (!code.isValid()) { fail(frame); } else { - frame.decrementRemainingGas(cost); spawnChildMessage(frame, code, evm); frame.incrementRemainingGas(cost); From aef938964d0fc421517547cd58482ca53f94b8b8 Mon Sep 17 00:00:00 2001 From: Chaminda Divitotawela Date: Tue, 18 Jun 2024 11:42:50 +1000 Subject: [PATCH 5/5] fix: workflow permission to upload trivy sarif report (#7234) Trivy scan result upload to GitHub fails due to permission issue. Added permission security-events=write to the workflow file as a fix. Since workflow permission explicitly defined, it requires contents=read explicity set as well Signed-off-by: Chaminda Divitotawela --- .github/workflows/container-security-scan.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/container-security-scan.yml b/.github/workflows/container-security-scan.yml index 85065c828cc..f945d13220d 100644 --- a/.github/workflows/container-security-scan.yml +++ b/.github/workflows/container-security-scan.yml @@ -14,6 +14,9 @@ on: jobs: scan-sarif: runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - name: Checkout