feat(indexer): Add processor to docker-compose

[roninjin10]

• Add processor to docker-compose
• this is still a wip

[changeset-bot]

⚠️ No Changeset found

Latest commit: 8c091f6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[roninjin10]

Current dependencies on/for this PR:

• develop
  • PR chore(indexer): Update git ignroe to ignore binaries #5945
    • PR feat(indexer): Add healthz to api #5946
      • PR feat(indexer): Add indexer-refresh to makefile #5947
        • PR feat(indexer): Hook up api to cli app #5948
        • PR feat(indexer): Load environment variables from .env #5944
          • PR fix(indexer): Add name to toml config #5969
            • PR feat(indexer): Hook up api to cli app #5980
              • PR feat(indexer): Connect processor to cli app #5950
                • PR feat(indexer): Add api to docker-compose #5951
                  • PR feat(indexer): Add processor to docker-compose #5952 👈

This comment was auto-generated by Graphite.

[semgrep-app]

Semgrep found 1 use-tls finding:

• indexer/api/api.go: L109

Found an HTTP server without TLS. Use 'http.ListenAndServeTLS' instead. See https://golang.org/pkg/net/http/#ListenAndServeTLS for more information.

_{Ignore this finding from use-tls.}

[semgrep-app]

Semgrep found 12 todos_require_linear findings:

• packages/data-transport-layer/src/services/l1-ingestion/service.ts: L167
• packages/data-transport-layer/src/utils/contracts.ts: L75
• packages/data-transport-layer/src/db/simple-db.ts: L10, L37
• packages/data-transport-layer/src/services/main/service.ts: L121
• packages/data-transport-layer/src/services/server/service.ts: L138, L226, L227, L228
• packages/data-transport-layer/src/services/l1-ingestion/handlers/sequencer-batch-appended.ts: L34, L88
• packages/data-transport-layer/src/utils/validation.ts: L41

Please create a Linear ticket for this TODO.

_{Ignore this finding from todos_require_linear.}

[github-actions]

This PR is stale because it has been open 14 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[semgrep-app]

Semgrep found 54 third-party-action-not-pinned-to-commit-sha findings:

• .github/workflows/release.yml: L441, L428, L425, L407, L401, L398, L380, L374, L371, L353, L347, L344, L326, L320, L317, L299, L293, L290, L59
• .github/workflows/publish-canary.yml: L403, L390, L387, L365, L352, L349, L331, L325, L322, L304, L298, L295, L277, L271, L268, L250, L244, L241, L223, L217, L214, L196, L190, L187, L169, L163, L160, L143, L137, L134, L117, L114, L108, L70, L59

An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload.

_{Ignore this finding from third-party-action-not-pinned-to-commit-sha.}

Semgrep found 1 nil-check-after-call finding:

• op-node/p2p/node.go: L71-161

Potential p2pmetrics nil dereference when NewBandwidthCounter is called

_{Ignore this finding from nil-check-after-call.}

Semgrep found 3 iterate-over-empty-map findings:

• op-node/p2p/topic_params.go: L89-103
• op-node/p2p/peer_params.go: L89-103
• op-node/chaincfg/chains.go: L73-92

Iteration over a possibly empty map TopicScoreParamsByName. This is likely a bug or redundant code

_{Ignore this finding from iterate-over-empty-map.}

Semgrep found 1 dynamic-urllib-use-detected finding:

• ops-bedrock/tools/generate_replica.py: L109-111

Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.

_{Ignore this finding from dynamic-urllib-use-detected.}

Semgrep found 4 avoid-v-html findings:

• docs/op-stack/src/.vuepress/theme/components/PageFooter.vue: L7, L5
• docs/op-stack/src/.vuepress/theme/components/Clipboard.vue: L3
• docs/op-stack/src/.vuepress/theme/components/Blog/ArticleItem.vue: L15

Dynamically rendering arbitrary HTML on your website can be very dangerous because it can easily lead to XSS vulnerabilities. Only use HTML interpolation on trusted content and never on user-provided content.

_{Ignore this finding from avoid-v-html.}

Semgrep found 6 path-join-resolve-traversal findings:

• packages/hardhat-deploy-config/src/plugin.ts: L23, L23, L20, L20
• packages/contracts-bedrock/tasks/generate-deploy-config.ts: L12, L12

Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

View Dataflow Graph

flowchart LR
    classDef invis fill:white, stroke: none
    classDef default fill:#e7f5ff, color:#1c7fd6, stroke: none

    subgraph File0["<b>packages/hardhat-deploy-config/src/plugin.ts</b>"]
        direction LR
        %% Source

        subgraph Source
            direction LR

            v0("<b>[Line: 16]</b> userPath")
        end
        %% Intermediate

        subgraph Traces0[Traces]
            direction TB

            v2("<b>[Line: 16]</b> userPath")
        end
        %% Sink

        subgraph Sink
            direction LR

            v1("<b>[Line: 23]</b> userPath")
        end
    end
    %% Class Assignment
    Source:::invis
    Sink:::invis

    Traces0:::invis
    File0:::invis

    %% Connections

    Source --> Traces0
    Traces0 --> Sink

    %% Clickable

    click v0 href "https://github.com/ethereum-optimism/optimism/blob/515f0a372540cb1b1fd5b32f23fc0aca6deb3064/packages/hardhat-deploy-config/src/plugin.ts#L16" "View in source" _blank
    click v1 href "https://github.com/ethereum-optimism/optimism/blob/515f0a372540cb1b1fd5b32f23fc0aca6deb3064/packages/hardhat-deploy-config/src/plugin.ts#L23" "View in source" _blank
    click v2 href "https://github.com/ethereum-optimism/optimism/blob/515f0a372540cb1b1fd5b32f23fc0aca6deb3064/packages/hardhat-deploy-config/src/plugin.ts#L16" "View in source" _blank

Loading

_{Ignore this finding from path-join-resolve-traversal.}

Semgrep found 2 incomplete-sanitization findings:

• packages/migration-data/bin/cli.ts: L31, L29

line.split('|')[2].replace method will only replace the first occurrence when used with a string argument ('\r'). If this method is used for escaping of dangerous data then there is a possibility for a bypass. Try to use sanitization library instead or use a Regex with a global flag.

_{Ignore this finding from incomplete-sanitization.}

Semgrep found 1 potential-dos-via-decompression-bomb finding:

• op-chain-ops/genesis/test_util.go: L45

Detected a possible denial-of-service via a zip bomb attack. By limiting the max bytes read, you can mitigate this attack. io.CopyN() can specify a size. Refer to https://bomb.codes/ to learn more about this attack and other ways to mitigate it.

_{Ignore this finding from potential-dos-via-decompression-bomb.}

Semgrep found 1 no-direct-write-to-responsewriter finding:

• indexer/server/server.go: L25

Detected directly writing or similar in 'http.ResponseWriter.write()'. This bypasses HTML escaping that prevents cross-site scripting vulnerabilities. Instead, use the 'html/template' package and render data using 'template.Execute()'.

_{Ignore this finding from no-direct-write-to-responsewriter.}

Semgrep found 2 math-random-used findings:

• op-chain-ops/genesis/check.go: L9
• op-chain-ops/cmd/withdrawals/main.go: L10

Do not use math/rand. Use crypto/rand instead.

_{Ignore this finding from math-random-used.}

Semgrep found 1 todos_require_linear finding:

• packages/core-utils/src/optimism/batch-encoding.ts: L262

Please create a Linear ticket for this TODO.

_{Ignore this finding from todos_require_linear.}

Semgrep found 1 detected-generic-api-key finding:

• docs/op-stack/src/.vuepress/config.js: L42

Generic API Key detected

_{Ignore this finding from detected-generic-api-key.}

[mergify]

Hey @roninjin10! This PR has merge conflicts. Please fix them before continuing review.

[mergify]

This PR has been added to the merge queue, and will be merged soon.

[mergify]

This PR is next in line to be merged, and will be merged as soon as checks pass.