Merge pull request #37 from cosmos/helper

Support Textual Mode & improvements

.github/workflows/check_version.yml

@@ -3,6 +3,9 @@ name: Verify PRs to main
 on:
   workflow_dispatch:
   pull_request:
+    paths:
+      - app/**
+      - deps/**
     branches:
       - main
       - develop

.github/workflows/guidelines_enforcer.yml

@@ -21,5 +21,3 @@ jobs:
   guidelines_enforcer:
     name: Call Ledger guidelines_enforcer
     uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_guidelines_enforcer.yml@v1
-    with:
-      relative_app_directory: 'app'

.github/workflows/sonarcloud.yml

@@ -0,0 +1,57 @@
+name: Sonarcloud
+
+on:
+  push:
+    branches:
+      - disable
+  pull_request:
+    branches:
+      - disable
+    types: [opened, synchronize, reopened]
+
+jobs:
+  build:
+    name: SonarQube analyze
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder@sha256:877adc3ff619222aaf03a490d546ea9001f02faa0c6ac7c06c876c99584f9cdb
+    env:
+      SONAR_SCANNER_VERSION: 4.7.0.2747
+      SONAR_SERVER_URL: "https://sonarcloud.io"
+      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true      
+      - name: Set up JDK 11
+        uses: actions/setup-java@v1
+        with:
+          java-version: 11
+      - name: Download and set up sonar-scanner
+        env:
+          SONAR_SCANNER_DOWNLOAD_URL: https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${{ env.SONAR_SCANNER_VERSION }}-linux.zip
+        run: |
+          apt-get update -y
+          apt-get upgrade -y
+          curl -sL https://deb.nodesource.com/setup_16.x | bash -
+          apt-get install -y gcovr nodejs unzip
+          mkdir -p $HOME/.sonar
+          curl -sSLo $HOME/.sonar/sonar-scanner.zip ${{ env.SONAR_SCANNER_DOWNLOAD_URL }}
+          unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
+          echo "$HOME/.sonar/sonar-scanner-${{ env.SONAR_SCANNER_VERSION }}-linux/bin" >> $GITHUB_PATH
+      - name: Download and set up build-wrapper
+        env:
+          BUILD_WRAPPER_DOWNLOAD_URL: ${{ env.SONAR_SERVER_URL }}/static/cpp/build-wrapper-linux-x86.zip
+        run: |
+          curl -sSLo $HOME/.sonar/build-wrapper-linux-x86.zip ${{ env.BUILD_WRAPPER_DOWNLOAD_URL }}
+          unzip -o $HOME/.sonar/build-wrapper-linux-x86.zip -d $HOME/.sonar/
+          echo "$HOME/.sonar/build-wrapper-linux-x86" >> $GITHUB_PATH
+      - name: Run build-wrapper
+        run: |
+          build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} make clean all
+      - name: Run sonar-scanner
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        run: |
+          sonar-scanner --define sonar.host.url="${{ env.SONAR_SERVER_URL }}" --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"

.gitignore

@@ -82,6 +82,7 @@ cmake-build-fuzz/
 !\deps/nanox-secure-sdk
 !\deps/ledger-zxlib
 !\deps/tinycbor
+!\deps/tinycbor-ledger
 !\deps/BLAKE
 
 app/src/glyphs.c

.sonarcloud.properties

@@ -0,0 +1,17 @@
+# Path to sources
+# sonar.sources=
+# sonar.exclusions=
+# sonar.inclusions=
+
+# Path to tests
+# sonar.tests=
+# sonar.test.exclusions=
+# sonar.test.inclusions=
+
+# Source encoding
+# sonar.sourceEncoding=
+
+# Exclusions for copy-paste detection
+# sonar.cpd.exclusions=
+# Python version (for python projects only)
+# sonar.python.version=

CMakeLists.txt

@@ -81,7 +81,11 @@ string(APPEND CMAKE_LINKER_FLAGS " -fsanitize=address -fno-omit-frame-pointer")
 ##############################################################
 #  static libs
 file(GLOB_RECURSE JSMN_SRC
-        deps/jsmn/src/jsmn.c
+        ${CMAKE_CURRENT_SOURCE_DIR}/deps/jsmn/src/jsmn.c
+        )
+file(GLOB_RECURSE TINYCBOR_SRC
+        ${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src/cborparser.c
+        ${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src/cborvalidation.c
         )
 
 file(GLOB_RECURSE LIB_SRC
@@ -98,6 +102,7 @@ file(GLOB_RECURSE LIB_SRC
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/formatting.c
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/parser_impl.c
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/json/json_parser.c
+        ${CMAKE_CURRENT_SOURCE_DIR}/app/src/cbor/cbor_parser_helper.c
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/tx_parser.c
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/tx_display.c
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/tx_validate.c
@@ -107,6 +112,7 @@ file(GLOB_RECURSE LIB_SRC
 add_library(app_lib STATIC
         ${LIB_SRC}
         ${JSMN_SRC}
+        ${TINYCBOR_SRC}
         )
 
 target_include_directories(app_lib PUBLIC
@@ -115,7 +121,8 @@ target_include_directories(app_lib PUBLIC
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src
         ${CMAKE_CURRENT_SOURCE_DIR}/app/src/common
         ${CMAKE_CURRENT_SOURCE_DIR}/deps/ledger-zxlib/app/common
-        ${CMAKE_CURRENT_SOURCE_DIR}/deps/tinykeccak
+        ${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src
+        ${CMAKE_CURRENT_SOURCE_DIR}/deps/tinykeccak/
         )
 
 target_link_libraries(app_lib PUBLIC)
@@ -133,6 +140,7 @@ target_include_directories(unittests PRIVATE
         ${CONAN_INCLUDE_DIRS_FMT}
         ${CONAN_INCLUDE_DIRS_JSONCPP}
         ${CMAKE_CURRENT_SOURCE_DIR}/deps/jsmn/src
+        ${CMAKE_CURRENT_SOURCE_DIR}/deps/tinycbor/src
         )
 
 target_link_libraries(unittests PRIVATE
@@ -143,6 +151,7 @@ target_link_libraries(unittests PRIVATE
 
 add_compile_definitions(TESTVECTORS_DIR="${CMAKE_CURRENT_SOURCE_DIR}/tests/")
 add_compile_definitions(APP_TESTING=1)
+add_compile_definitions(COMPILE_TEXTUAL=1)
 add_test(unittests ${CMAKE_RUNTIME_OUTPUT_DIRECTORY}/unittests)
 set_tests_properties(unittests PROPERTIES WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/tests)
 

README.md

@@ -4,15 +4,18 @@
 
 ---
 
-![zondax](docs/zondax.jpg)
+![zondax_light](docs/zondax_light.png#gh-light-mode-only)
+![zondax_dark](docs/zondax_dark.png#gh-dark-mode-only)
 
 _Please visit our website at [zondax.ch](zondax.ch)_
 
+You can also visit [Zondax Hub](https://hub.zondax.ch/cosmos) to test any of the versions of the app
+
 ---
 
-This project contains the Cosmos app for Ledger Nano S and X.
+This project contains the Cosmos app for Ledger Nano S, Nano S+, X and Stax.
 
-- Ledger Nano S/X Cosmos app
+- Ledger Nano S/S+/X/Stax Cosmos app
 - Specs / Documentation
 - C++ unit tests
 - Zemu tests
@@ -202,5 +205,8 @@ The Makefile will build the firmware in a docker container and leave the binary
 
 ## APDU Specifications
 
+### DISCLAIMER
+Ledger NanoS does not support Cosmos Textual Mode due to memory restriction
+
 - [APDU Protocol](docs/APDUSPEC.md)
 - [Transaction format](docs/TXSPEC.md)

SECURITY.md

@@ -0,0 +1,79 @@
+# Coordinated Vulnerability Disclosure Policy
+
+The Cosmos ecosystem believes that strong security is a blend of highly
+technical security researchers who care about security and the forward
+progression of the ecosystem and the attentiveness and openness of Cosmos core
+contributors to help continually secure our operations.
+
+> **IMPORTANT**: *DO NOT* open public issues on this repository for security
+> vulnerabilities.
+
+## Scope
+
+| Scope                 |
+|-----------------------|
+| last release (tagged) |
+| main branch           |
+
+The latest **release tag** of this repository is supported for security updates
+as well as the **main** branch. Security vulnerabilities should be reported if
+the vulnerability can be reproduced on either one of those.
+
+## Reporting a Vulnerability
+
+| Reporting methods                                             |
+|---------------------------------------------------------------|
+| [GitHub Private Vulnerability Reporting][gh-private-advisory] |
+| [HackerOne bug bounty program][h1]                            |
+
+All security vulnerabilities can be reported under GitHub's [Private
+vulnerability reporting][gh-private-advisory] system. This will open a private
+issue for the developers. Try to fill in as much of the questions as possible.
+If you are not familiar with the CVSS system for assessing vulnerabilities, just
+use the Low/High/Critical severity ratings. A partially filled in report for a
+critical vulnerability is still better than no report at all.
+
+Vulnerabilities associated with the **Go, Rust or Protobuf code** of the
+repository may be eligible for a [bug bounty][h1]. Please see the bug bounty
+page for more details on submissions and rewards. If you think the vulnerability
+is eligible for a payout, **report on HackerOne first**.
+
+Vulnerabilities in services and their source codes (JavaScript, web page, Google
+Workspace) are not in scope for the bug bounty program, but they are welcome to
+be reported in GitHub.
+
+### Guidelines
+
+We require that all researchers:
+
+* Abide by this policy to disclose vulnerabilities, and avoid posting
+  vulnerability information in public places, including GitHub, Discord,
+  Telegram, and Twitter.
+* Make every effort to avoid privacy violations, degradation of user experience,
+  disruption to production systems (including but not limited to the Cosmos
+  Hub), and destruction of data.
+* Keep any information about vulnerabilities that you’ve discovered confidential
+  between yourself and the Cosmos engineering team until the issue has been
+  resolved and disclosed.
+* Avoid posting personally identifiable information, privately or publicly.
+
+If you follow these guidelines when reporting an issue to us, we commit to:
+
+* Not pursue or support any legal action related to your research on this
+  vulnerability
+* Work with you to understand, resolve and ultimately disclose the issue in a
+  timely fashion
+
+### More information
+
+* See [TIMELINE.md] for an example timeline of a disclosure.
+* See [DISCLOSURE.md] to see more into the inner workings of the disclosure
+  process.
+* See [EXAMPLES.md] for some of the examples that we are interested in for the
+  bug bounty program.
+
+[gh-private-advisory]: /../../security/advisories/new
+[h1]: https://hackerone.com/cosmos
+[TIMELINE.md]: https://github.com/cosmos/security/blob/main/TIMELINE.md
+[DISCLOSURE.md]: https://github.com/cosmos/security/blob/main/DISCLOSURE.md
+[EXAMPLES.md]: https://github.com/cosmos/security/blob/main/EXAMPLES.md

app/Makefile

@@ -54,21 +54,25 @@ APP_LOAD_PARAMS = --curve secp256k1 $(COMMON_LOAD_PARAMS) --path $(APPPATH)
 
 include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.devices
 
-# On zxlib v19.7.1, Makefile.devices will set a default value for APP_STACK_SIZE
-# to follow the most recent nanos-secure-sdk rules we will clean APP_STACK_SIZE value
-# and set a minimum value
-APP_STACK_SIZE :=
-APP_STACK_MIN_SIZE := 1444
-
 $(info TARGET_NAME  = [$(TARGET_NAME)])
 $(info ICONNAME  = [$(ICONNAME)])
 
 ifndef ICONNAME
 $(error ICONNAME is not set)
 endif
 
-include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.platform
+# Compile textual mode for all devices excetpt Nano S, 
+# and define a Min stack size for Nano S with some margin
+# to get an error if app grows too much
+ifneq ($(TARGET_NAME),TARGET_NANOS)
+    DEFINES += COMPILE_TEXTUAL
+endif
 
+APP_STACK_MIN_SIZE := 1600
+
+include $(CURDIR)/../deps/ledger-zxlib/makefiles/Makefile.platform
+CFLAGS += -I$(MY_DIR)/../deps/tinycbor/src
+APP_SOURCE_PATH += $(MY_DIR)/../deps/tinycbor-ledger
 APP_SOURCE_PATH += $(MY_DIR)/../deps/jsmn/src
 
 .PHONY: rust

app/Makefile.version

@@ -1,6 +1,6 @@
 # This is the `transaction_version` field of `Runtime`
 APPVERSION_M=2
 # This is the `spec_version` field of `Runtime`
-APPVERSION_N=34
+APPVERSION_N=35
 # This is the patch version of this release
-APPVERSION_P=14
+APPVERSION_P=19