Merge branch 'release/os/5.3' into merge-release/os/5.2-release/os/5.…

…3-2024-05-09-100

.ci/JenkinsApiCompatibility

@@ -1,5 +1,5 @@
 // Check corda-api compatibility with downstream consumers which implement CordApps
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaApiCompatibilityCheck(
  javaVersion: '17'

.ci/JenkinsfileSnykDelta

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 snykDelta(
  snykOrgId: 'corda5-snyk-org-id',

.ci/JenkinsfileSonarCloud

@@ -0,0 +1,74 @@
+@Library('[email protected]') _
+
+import com.r3.build.agents.KubernetesAgent
+import com.r3.build.enums.BuildEnvironment
+import com.r3.build.enums.KubernetesCluster
+import com.r3.build.BuildConstants
+import com.r3.build.utils.GitUtils
+import com.r3.build.utils.SnykUtils
+
+KubernetesAgent k8s = new KubernetesAgent(
+ BuildEnvironment.AMD64_LINUX_JAVA17,
+ KubernetesCluster.JenkinsAgents,
+ 1
+)
+
+GitUtils gitUtils = new GitUtils(this)
+SnykUtils snykUtils = new SnykUtils(this)
+
+pipeline {
+ agent {
+ kubernetes {
+ cloud k8s.buildCluster.cloudName
+ yaml k8s.JSON
+ yamlMergeStrategy merge() // important to keep tolerations from the inherited template
+ idleMinutes 15
+ podRetention always()
+ nodeSelector k8s.nodeSelector
+ label k8s.jenkinsLabel
+ showRawYaml true
+ defaultContainer k8s.defaultContainer.name
+ }
+ }
+
+ environment {
+ ARTIFACTORY_CREDENTIALS = credentials('artifactory-credentials')
+ CORDA_ARTIFACTORY_PASSWORD = "${env.ARTIFACTORY_CREDENTIALS_PSW}"
+ CORDA_ARTIFACTORY_USERNAME = "${env.ARTIFACTORY_CREDENTIALS_USR}"
+ BUILD_CACHE_CREDENTIALS = credentials('gradle-ent-cache-credentials')
+ BUILD_CACHE_PASSWORD = "${env.BUILD_CACHE_CREDENTIALS_PSW}"
+ BUILD_CACHE_USERNAME = "${env.BUILD_CACHE_CREDENTIALS_USR}"
+ CORDA_GRADLE_SCAN_KEY = credentials('gradle-build-scans-key')
+ GRADLE_USER_HOME = "/host_tmp/gradle"
+ SNYK_TOKEN = credentials("r3-snyk-corda5")
+ SNYK_ORG_ID = credentials("corda5-snyk-org-id")
+ }
+
+ options {
+ timestamps()
+ }
+
+ triggers {
+ cron (gitUtils.isReleaseBranch() ? '@midnight' : '')
+ }
+
+ stages {
+ stage('SonarQube analysis') {
+ when {
+ expression { return env.BRANCH_NAME == gitUtils.getDefaultBranch(gitUtils.getRepoName())}
+ }
+ steps {
+ withSonarQubeEnv('SonarCloud') {
+ sh './gradlew sonar -Si'
+ }
+ }
+ }
+ stage('Snyk Code analysis') {
+ steps {
+ script {
+ snykUtils.runSnykCode()
+ }
+ }
+ }
+ }
+}

.ci/dev/forward-merge/JenkinsInteropMerge

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 /*
  * Forward merge any changes in current branch to the branch with following version.

.ci/dev/forward-merge/JenkinsfileMergeAutomation

@@ -1,5 +1,5 @@
 #! groovy
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 /**
  * Forward merge any changes in current branch to the branch with following version.
@@ -14,13 +14,13 @@
  * the branch name of origin branch, it should match the current branch
  * and it acts as a fail-safe inside {@code forwardMerger} pipeline
  */
-String originBranch = 'release/os/5.2'
+String originBranch = 'release/os/5.3'
 
 /**
  * the branch name of target branch, it should be the branch with the next version
  * after the one in current branch.
  */
-String targetBranch = 'release/os/5.3'
+String targetBranch = 'release/os/5.4'
 
 /**
  * Forward merge any changes between {@code originBranch} and {@code targetBranch}

.ci/nightly/JenkinsfileNightly

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaPipelineKubernetesAgent(
  runIntegrationTests: false,

.ci/nightly/JenkinsfileSnykScan

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaSnykScanPipeline (
  snykTokenId: 'r3-snyk-corda5',

.ci/nightly/JenkinsfileWindowsCompatibility

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 windowsCompatibility(
  runIntegrationTests: false,

.github/CODEOWNERS

@@ -1,2 +1,18 @@
-# Code freeze reviewers
-* @driessamyn @jasonbyrner3 @ronanbrowne @rick-r3 @simon-johnson-r3 @blsemo @Omar-awad @aditisdesai @vinir3 @vkolomeyko @Sakpal @owenstanford @davidcurrie @conalsmith-r3
+# Build scripts and Jenkins files should be audited by BLT
+# Any changes to source code of corda-api to be reviewd by C5 team leads
+
+Jenkinsfile @corda/infrastructure-release
+.ci/** @corda/infrastructure-release
+
+gradle/wrapper @corda/infrastructure-release
+*.toml @corda/corda5-team-leads
+
+*.gradle @corda/infrastructure-release
+gradle.properties @corda/corda5-team-leads
+
+*.kt @corda/corda5-team-leads
+*.java @corda/corda5-team-leads
+
+**/scans/*.yaml @corda/corda5-team-leads
+
+CODEOWNERS @corda/infrastructure-release @corda/corda5-team-leads

.github/workflows/check-pr-title.yml

@@ -7,7 +7,7 @@ jobs:
  check-pr-title:
  runs-on: ubuntu-latest
  steps:
- - uses: morrisoncole/pr-lint-action@v1.6.1
+ - uses: morrisoncole/pr-lint-action@v1.7.1
  with:
  title-regex: '^((CORDA|EG|ENT|INFRA|CORE|DOC|ES|DA5)-\d+)(.*)'
  on-failed-regex-comment: "PR title failed to match regex -> `%regex%`"

.github/workflows/remove-stale-branches.yml

@@ -8,7 +8,7 @@ jobs:
  name: Remove stale branches
  runs-on: ubuntu-latest
  steps:
- - uses: fpicalausa/remove-stale-branches@v1.5.8
+ - uses: fpicalausa/remove-stale-branches@v2.0.1
  with:
  dry-run: false
  ignore-unknown-authors: true

.github/workflows/remove-stale-prs.yml

@@ -8,7 +8,7 @@ jobs:
  name: Remove stale PRs
  runs-on: ubuntu-latest
  steps:
- - uses: actions/stale@v8.0.0
+ - uses: actions/stale@v9.0.0
  with:
  debug-only: false
  exempt-pr-labels: 'DO_NOT_CLOSE'

.snyk

@@ -2,58 +2,22 @@
 version: v1.25.0
 # ignores vulnerabilities until expiry date; change duration by modifying expiry date
 ignore:
- SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385:
- - '*':
- reason: >-
- Gradle plugins use the version of Kotlin provided by Gradle itself, so
- it is not susceptible to this vulnerability. In addition, this is a 
- build-time vulnerability, released artifacts are not affected due to
- this.
- expires: 2022-10-22T10:40:55.991Z
- created: 2022-09-22T10:40:55.995Z
  SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
  - '*':
  reason: >-
  This vulnerability relates to information exposure via creation of
  temporary files via Kotlin functions with insecure permissions. Corda
  does not use any of the vulnerable functions so it not susceptible to
  this vulnerability.
- expires: 2023-06-19T10:40:55.991Z
+ expires: 2024-08-27T10:40:55.991Z
  created: 2022-09-22T10:40:55.995Z
- SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424:
- - '*':
- reason: >-
- Corda5 Shippable artifacts do not make use of dokka-core, which is
- where this dependency originates, this is used at compile / build time
- only for Kdoc generation and not shipped in any of our releasable
- artifacts.
- expires: 2023-06-19T10:40:55.991Z
- created: 2022-12-20T10:40:55.995Z
- SNYK-JAVA-ORGJSOUP-2989728:
- - '*':
- reason: >-
- Corda5 Shippable artifacts do not make use of dokka-core, which is
- where this dependency originates, this is used at compile / build time
- only for Kdoc generation and not shipped in any of our releasable
- artifacts.
- expires: 2023-06-19T10:40:55.991Z
- created: 2022-12-20T10:40:55.995Z
- SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
- - '*':
- reason: >-
- Corda5 Shippable artifacts do not make use of dokka-core, which is
- where this dependency originates, this is used at compile / build time
- only for Kdoc generation and not shipped in any of our releasable
- artifacts.
- expires: 2023-06-19T10:40:55.991Z
- created: 2022-12-20T10:40:55.995Z
  SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135:
  - '*':
  reason: >-
  Corda5 Shippable artifacts do not make use of dokka-core, which is
  where this dependency originates, this is used at compile / build time
  only for Kdoc generation and not shipped in any of our releasable
  artifacts.
- expires: 2023-06-19T13:28:02.582Z
+ expires: 2024-08-27T13:28:02.582Z
  created: 2023-03-20T13:28:02.597Z
 patch: {}

Jenkinsfile

@@ -1,4 +1,4 @@
-@Library('corda-shared-build-pipeline-steps@5.2') _
+@Library('corda-shared-build-pipeline-steps@5.3') _
 
 cordaPipelineKubernetesAgent(
  runIntegrationTests: false,

application/scans/corda-application-5.2.0.yaml → application/scans/corda-application-5.3.0.yaml

@@ -296,6 +296,39 @@ net.corda.v5.application.crypto.SigningService:
  extends: []
  interface: true
  methods:
+ decodePublicKey:
+ annotations:
+ - NotNull
+ default: false
+ type: public abstract
+ returnType: java.security.PublicKey
+ params:
+ encodedKey:
+ annotation:
+ - NotNull
+ type: String
+ encodeAsByteArray:
+ annotations:
+ - NotNull
+ default: false
+ type: public abstract
+ returnType: "byte[]"
+ params:
+ publicKey:
+ annotation:
+ - NotNull
+ type: java.security.PublicKey
+ encodeAsString:
+ annotations:
+ - NotNull
+ default: false
+ type: public abstract
+ returnType: String
+ params:
+ publicKey:
+ annotation:
+ - NotNull
+ type: java.security.PublicKey
  findMySigningKeys:
  annotations:
  - Suspendable

application/src/main/java/net/corda/v5/application/crypto/SigningService.java

@@ -57,4 +57,40 @@ public interface SigningService {
  @Suspendable
  @NotNull
  Map<PublicKey, PublicKey> findMySigningKeys(@NotNull Set<PublicKey> keys);
+
+ /**
+ * Deserializes a {@link PublicKey} from a {@code byte} array.
+ *
+ * @param encodedKey The public key represented as a {@code byte} array.
+ * @return An instance of {@link PublicKey} constructed from the encoded key.
+ */
+ @NotNull
+ PublicKey decodePublicKey(@NotNull byte[] encodedKey);
+
+ /**
+ * Deserializes a {@link PublicKey} from a {@link String}.
+ *
+ * @param encodedKey The public key represented as a PEM encoded {@link String}.
+ * @return An instance of {@link PublicKey} constructed from the encoded key.
+ */
+ @NotNull
+ PublicKey decodePublicKey(@NotNull String encodedKey);
+
+ /**
+ * Serializes a {@link PublicKey} into a byte array.
+ *
+ * @param publicKey The {@link PublicKey} to be encoded.
+ * @return A {@code byte} array representation of the public key.
+ */
+ @NotNull
+ byte[] encodeAsByteArray(@NotNull PublicKey publicKey);
+
+ /**
+ * Serializes a {@link PublicKey} into a PEM encoded String.
+ *
+ * @param publicKey The {@link PublicKey} to be encoded.
+ * @return A hex encoded {@link String} representation of the public key.
+ */
+ @NotNull
+ String encodeAsString(@NotNull PublicKey publicKey);
 }

application/src/main/java/net/corda/v5/application/messaging/FlowMessaging.java

@@ -309,12 +309,14 @@ FlowSession initiateFlow(
  * stops receiving heartbeat messages from the counterparty within the configurable timeout.
  * <p>
  * The {@code payload} object should be of a type that is annotated with @CordaSerializable or a primitive type. This
- * function cannot handle types that do not meet these criteria.
+ * function cannot handle types that do not meet these criteria. The maximum payload size that can be sent at once is
+ * dictated by `session.maxPayloadSize`, and defaults to 100MB.
  *
  * @param payload the payload to send, which should be either a primitive type or a type annotated with @CordaSerializable.
+ * Payload size should not exceed the configurable maximum size in bytes (default of 100MB).
  * @param sessions the sessions to send the provided payload to.
  *
- * @throws CordaRuntimeException if any session is closed or in a failed state.
+ * @throws CordaRuntimeException if any session is closed or in a failed state, or if the payload size exceeds the configured maximum size in bytes.
  */
  @Suspendable
  void sendAll(@NotNull Object payload, @NotNull Set<FlowSession> sessions);
@@ -327,12 +329,14 @@ FlowSession initiateFlow(
  * stops receiving heartbeat messages from the counterparty within the configurable timeout.
  * <p>
  * The objects in {@code payloadsPerSession} should be of types that are annotated with @CordaSerializable or be primitive types. This
- * function cannot handle types that do not meet these criteria.
+ * function cannot handle types that do not meet these criteria. The maximum payload size that can be sent at once is
+ * dictated by `session.maxPayloadSize`, and defaults to 100MB.
  *
  * @param payloadsPerSession a mapping that contains the payload to be sent to each session.
  * The payloads should be either of primitive types or types annotated with @CordaSerializable.
+ * Payload size should not exceed the configurable maximum size in bytes (default of 100MB).
  *
- * @throws CordaRuntimeException if any session is closed or in a failed state.
+ * @throws CordaRuntimeException if any session is closed or in a failed state, or if the payload size exceeds the configured maximum size in bytes.
  */
  @Suspendable
  void sendAllMap(@NotNull Map<FlowSession, Object> payloadsPerSession);