From 6f6cfea9af6aea63d413159fc7d5035163026869 Mon Sep 17 00:00:00 2001 From: Sebastian Guaqueta Date: Fri, 20 Dec 2024 08:36:48 -0500 Subject: [PATCH 1/2] feat/ adding setting files for score card automation --- .DS_Store | Bin 0 -> 6148 bytes .github/dependabot.yml | 18 +++++++++ .github/workflows/codeql.yml | 45 +++++++++++++++++++++++ .github/workflows/dependency-review.yml | 21 +++++++++++ .github/workflows/scorecard.yml | 47 ++++++++++++++++++++++++ README.md | 4 ++ SECURITY.MD | 27 ++++++++++++++ img/rootstock-docs.png | Bin 0 -> 14838 bytes 8 files changed, 162 insertions(+) create mode 100644 .DS_Store create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 .github/workflows/dependency-review.yml create mode 100644 .github/workflows/scorecard.yml create mode 100644 SECURITY.MD create mode 100644 img/rootstock-docs.png diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..b8dd79a9b1aadd231253725649863c98f0a1ebbe GIT binary patch literal 6148 zcmeHK!A{#i5PeImHjtnfYhV!{Ra;G0KdSA zPso|y-~?}WS7N=vNWGM(+L3l=y`DEaelzxZ0jSQ^unlYisI!TVHrTx)a$nk#tl60@ zYNdVr!WdsM!f*7KtiwcLATY3M49L5?jRA5@aRT@KonVHH?{W*Ln9KdWEFT91?gdta*pSr~?4a+%IQUNZa#)`baplqcx?^;E; zlnV4~S2C?WIhm&Ol@w*7sy9|Lx)4-gATaQr49NE(W)q!QT^OxD9qjZGfI8x|7LMiT zKrpe@iPeSCyhBk2N^PLZ9x;@Gb3V3qiPeSC1`cHpAIh$*>rM + # Rsk contract verifier > Smart contract source code verifier. diff --git a/SECURITY.MD b/SECURITY.MD new file mode 100644 index 0000000..c5ac430 --- /dev/null +++ b/SECURITY.MD @@ -0,0 +1,27 @@ +# Reporting Security Issues + +The Rootstock team and community take security bugs in rootstock seriously. Beside this project is out of our Bug Bounty Program scope, we appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions. + + +## Responsible Disclosure + +For all security related issues, rsk-contract-verifier has two main points of contact. Reach us at or use the GitHub Security Advisory ["Report a Vulnerability"](https://github.com/rsksmart/rsk-contract-verifier/security/advisories/new) tab. + +The Rootstock team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. + +**Ensure the bug was not already reported** by searching on GitHub under [Issues](https://github.com/rsksmart/rsk-contract-verifier/issues). + +## Vulnerability Handling + +### Response Time + +RootstockLabs will make a best effort to meet the following response times for reported vulnerabilities: + +* Time to first response (from report submit) - 5 business days +* Time to triage (from report submit) - 7 business days + +We’ll try to keep you informed about our progress throughout the process. + +### Disclose Policy + +Follow our [disclosure guidelines](https://www.rootstocklabs.com/bounty-program/). \ No newline at end of file diff --git a/img/rootstock-docs.png b/img/rootstock-docs.png new file mode 100644 index 0000000000000000000000000000000000000000..946107cb03c747d1d7d4291d4a36db77cbbcb604 GIT binary patch literal 14838 zcmeIZS6CBU8#WAGX3aBe)_Tf)-z(uCYjcq!(nkaY z1VnD$FufxnaG+8^U|+=HzxXXSSE5}61oT^OnqIvdDY#5Fe(eg+r|}@|9=V5lHvaDL zh)6B{jeb1iZIttGV5aHD@oA)Ex%78XS{mrhP5cWh)vD3zduahVudC8~1J5h(7whpY z>~c;!l`AD5_`_%ft4m!bisHWHGFsbU%my-r5!dp$(c76^Z-b6zJZCW|9j>m!EyIF* zQ?A@rSmYlB-dz$D<{uvYI-vUJ?=5k@wE_YctlIbS5AQDjck;hM_-`isw;cX2`-J&N z`2YOTe@^-T$;h;G<51*xprBxQUY@Mea0hpRSr6O>QLLVbsW=9p^krv$KQg&**)Kg zv0tJ$=t$BsvNHBGt#5d8IVEO?28QsHf=jO+9ZbqhwI{~1w7GY`Rf$!}bK{ZPV*JnW z$XDXwA#l@LvJLTM#aTdI0e2e>=Xd(^R{K7%{>BK-+)Bp9hSZDy&ivDQ?N2K^W2Z?u zZ`)?T=#Pa>=tl=H_k3SYOljSwLdeFP%clI+4GB2vN)7i|+}GS&)AuBv9^yaBal&|C zUy;1#y@v-#tve=P2B~;PVm+mDKj0r*x`sq^mY{$$KR)4Oto$@M7K;`>23N>0yT}HKtj3RQ((8bo&U% zQX`6OXozKJQ5XbQZf*8K0fEXFd}Euosg!WrhOI^Bjz@=rPwH;c9{v*sW*?%%yxv@MxthUJiWg=bL;#&4U zdi>~Mv?(dVV8dR4nG(0vdTdD``(+rbmIBXmk1T9jdD<6pQQPaHD4o##zRM+cwJZm% zEz5eZF*zU?v&rBL`~J{$N6zN&Woxvo_|}gr{$<1(I@CxtHyM@N+8`!l_q}VT;!yDT zV+xF-%$FIco-7TxeTCa{hlD`%8~(G~S3A&)*2q~~y1I42ZO|c5{aWsT24y^d8_y*V zP-275-3gM-s%HF{(uiwx9?X$~7WbOWp*8^ST2A-t!3EDSDwNGIPA5F>{ugP1=wIKS z9@;@ca4BqF+|>8yjNTk=a$hdcP+%i7%K4Gt8v|Z#d}EC}dH74s-G$$wd~%^3nX$nx_(=3eJ*vgc9d|BxVyaHLVqq_^^AsS>A88q ze}+qJiw%lWU$ZA*#1@d2@FOyje0=Fn&J&=`VQFuXqGT}FTMYxC?2XQwk!w08tC+2g zQxv~jzY_o~^G}wKC&~aBT4K;t*nWW~D~V*{4OP$M9wC>M4o18;%@a2_=~uf5_$v09 zq-~0UpkhCuTluT?SjeWHz5A|f+uV>Z6zUUpd*9&MHOX8#)?jeksvDeJ90awU9oYb_ zqy|%B;o&TUxXm}@QI$3Z(OBRC?vjo+6e3s|E#y!sEVuU^w=HTY3?iHYk>a!Zp8R;O zuv^5_+wF?pe*PQOCPrM-ailJ8p_>O>k+aKI9Yd$xo9^L^GCE5EG;CLOoZxmm$Uu9$ zObKKU9y;eGD1c0V8NNJL8&`ZyAVNt{IO2V=ymQR@&^w)M#XGgnJ|_p_G(+N-&S#@c z+r;BRL&mJ3*uvJml~WASN&yc!qRCDmryGC@s}G?t1V&;HsE$0>!uwr3BwxU&(yb9k zA#VFs?0r^Hj@bKgD7S5{oyOqLL*-)br7J(%cL*^py@N zv^FVB=_ehRn~7;|T}%BG!(T%jq+KdBM$*dAD68YbP_sN|8uo(#=WeqZGe6$s##xhU z4I)=O;PXGE?0#EM(?i= zQUY5iT~lZaR=P3SK9jJt3+b@Xt>-{Hx7@bnI;S0-y<#NLC@U*&eJy%Ja?^mrlEO-JNnq;6|6F(??PL68?lT6XLX0?EOfI9-pJa2 z2sWuMF(v%yQrL@F030ihQMb`C$r@J%(HBH>BWCjO9fgus6)LrHa?TZfidXrSa zo`Oqm3`@^b_`dnOT4vDEqC68x+r3?9PZhA%EY_qD89MMaO z9k4pB+YK(HhZT6uuF@9uGxY9M0QW?vL{8k{b_T%Xn|jzXu8m%lmixYB|A3Pt z+V_^d((YD0K6_r*H|n3@*Jyq;&zs&ODeI2aT^VfleXk&nPDf`&prri+<0rY+`-JWH4oJ zx%W$b@(U#N>l>=j0c4D0DC8}4DuKECVM}sYd*eJ@^m?WKR*Q2XDSu2o_JQ--`GZ3F zTPCPDIt8yf)>dFb*dwDg)LhEKmySV){sfg%CK|Y7$j|QfK`Jw~>6|BKq!YPMBD+p# ziP5LK63MnU#yTvRc$F6S!Nrd0wXMxv8i>N%S-g=6iC*}awSC)bi$?1A>Zu-GJ^$An zL~n8`yMAqCZTD}SL@6qW-4N)gEiz*G$B~FV5JMF;R`pQ5PY{0~8`+O#>K*BIe?zPD z^mc!Q56dl{dLFm-?dE<9uhFxs-c8=gA0-?o8oTUprB@4>F_eiJBFiYyr`c&ar^4hX zv)v(<{O+mqmk!^vq#7j0FShgZh1CERuSq9_vB)r|SrlqmzUp~#D#A>4^_B9uTeSx; zne1xcoBsL{OAhe$`Tl;xv**7nwkm!Ny7$a+CQ>}HIx;Q=E~Tl0%RIONbAh0O^vXRS zB0ZQ|&yPoxl!SEFe0o@v;FF&dGqFY6xNq3ecztWEvoa|v$Dnc|hRxx7c(!>zCS$>= ztm%>oZ*5!~ugT{vOzK8*ksDWv+0wz7JmnfdOk>1ewLs%y0wB$mLY2sjkFEE{!IaCF5oj%xHuzJ zf50oM)k@EI4kC#~Bia}o)SkMC%Eh5+Bl5`I)i_a}5tyJ{3Fk)|3!f9DA55#Z=j)d~ z2Tay_tkpIo-O=3haZJ(6O76uATpXi;cHVgMOtYGFVyF=! zuf~sP9U7<)*N;yKYoGK!a%RcvPsri1azvqJiU(Y`(IH_(-c0@;&Cn;$`s#!eMv3{QWRvxm8bs+N5_M-T54 z-*4|ub+o-C_H)evaTHe$&%Qs7%G2nFI7CQ~zmW&$c%?^{MdxCO)6T+e z8Or?3U(AVGced?{9mS}iCCcyO?V`O}YnTiG=mVwNw$dt3?i%5mZU46AI)wzF_m~xg znC2=VM?c@+wDi>CN zMa@QSJh&^tlUz5H*hpJdZ>ij)DP5`i3nL6Lze3h8h<@uHtyXxP#XKv--*hnjit$PpYO4o%X!o>DT|V_8!hK22~}hf~!x8 z)aiyORn{^rg_e%)lUNdL@HE~a+waKaPyFp?Y8C7idY$tNpZqgFRVpM{^6?s{VJaV< z-unVq`=h&L2$$EdbZD=GT$s{Ot$HPP_oq^mxcOMIA6xi0@vu0A`YUSn0bnc7=#-Fa zLQWZQD*@erpj>e16(?gYwefvCK(YHm8!nsmCSMcQd$PQOv`{A`4*{Pk*qki0GM5(t zAm@^;YAI2W zV|idK@ZxNdd;Q{eaIyn}obQtGSf(Wt`=Y+=D;8#iUdmvyQ{d@y}omUQ*0=PS3f zq>+m86l!0itz)!m(@8>FJLw{7YnMfA1ASHp(2mL(3>rnLP*e*wNd7$1)a!Z#v|6yXLLPR0=hfYm@UnpHYGxbyT zjeqdNDUKD3{t-#zSA}n(T$w6sc{AaWO2Na4c28YE5Wvr7==5xO>M#z5C`WVKH31h&H)&mv=oo(9p zyAuTKEsi|eD5qRh>HisCz$>{*g zW$`MlCrFs`T%yz@8U--4*clJc%>QB%hQaZC347GD%W3M67xLuP|z#^f(~#GjMUi>|U`-P&{I|B|*~`R}H1!6?+<5I3adQ%iscV zvlPv`4*1ZSUihy1cr4w?A-?T_&ApZH;7Mxb5 zbN*+FYj<3x>Bl*!&umm{<(%>IKU8T%Dn0aK>`DuJl^->tpe4Dk-tojG>#=LiAKoVE z1th2m8L?FBOgalQm0y{oU`xa=)?8a&y#j75%ThpzaPhuF{Y}kM>ft23U9oe!1%sr zPPCs-pYhdI_#duSx2k41QU=uVaT|8aGnV$&o0Fv^51_g2no8?QIZx`uz0>a$#P7yH zBz!awWAsY8FP>F`MM@Hy84TzSnoTNHLQZa?s?x{$rQb!rs@=dShOZSuCtDu(-g;w)eGo)iKvduVllVV z+F$36V7k8aTl+eW=n01^xOoKJBYBQ3)vrQO`U8c!hI9EBg#m4Qb8T?HieUL2r;wG9 zHXZKW4@ryo!x@<}>>YbKKYDVkDqvzFu8^wr0NfX)dm8sw_q=ly)oRMX%HRhUd2xFvnWW?3!?2pPDnBGKP7O7Bog{NhPR9=c?JYVjylWlHTfVwT$xO)q%f9`_zREP@@^DS^@93 z_f6!;e_>8Oj4+@1?>|=O+%sRQ zTzIqRa%bNMCyNI%GC8_wIEOI%Hq&CyDKk>Wqi9XsK*{O6jtrlUmSGyz^!_o;2rsgSL0M=t_nS8XXmKRt(8c1yVNq!Q zt*@>dV4gEijKMON`)rH za%#=%Up4voUSuAxu6|0^Qj|UKwfyg+uSt-6jwa3p*du$}zOOP>;4Yj_DhpOoYup$} z{}yyaC}33o!Qui^-zFzC`*rx@V9C)D=Rd{hwriKXOU#Q0!IyoPts^!TD;mvtQ|>@n zkVl z!|jg?lf1gIe9<}(yO_CjM7!;;Z`z6WF34EypvzFfYtSAYKKl;KJq%qp^Pv?`C z4j$~0t3N(fw+y%qCq-}ne)(ZZcO;6{CWmV#lMMZGM=$jHq;kv@Aa3zs%OICnZ8ZG@ zd(K4ow+*5&_d>t40XA>^R%nn<*o-)jeTsXx!@P|h68rP5lJBfbke|OKOV)^OkDf2O z>^tzB=8o90*&AQ6a^1&uTer{lt=UGy-Fm}IT;-iC2 zKfej>CuHZos|7wN1BO(&@?S%J?>Ddyy)y`*GYQ!;I6K>v^=^d8hQoMDs*oKN#d3l) z_at+T3~htG@1{#W3|8rBu=#nbH)`6jO;)bDj-`_ULDv!{Jr<9L#dNO!U{5khiB9yK zZE57L1t$V%jjW4i+Oa)A$k;Ze9Y1!bC+XVg?Mo>1!gC=f#}(tND!kaq*M7#TBQk&Hyi>?VX5aej z(Q2>*ot43Am`wHukAE@2-WC3ivqcWYb+ou)-qxy*1>lq#fAn>yYvvxD*($jJG7sK! z-aj2MdJ?vz{$ZT!6x?DLnrB-!%HGUkLXXn*v*>cv?Cdwtn9nRD7pkM*#mDn}l#Wc+ zV~sNSi4ME)Qn7MS2x%RelSqTM$O4<#5b|B-ZY<- zdS4BtjZq7q#b+>DIFocdYx`YBs-uw8^})u-RWFv4FQWW2>e_w@ z8bd7N{dkCa-CSP)M54*0(KpHoeEo7PDj~$}qDEs2DGKmLx2FF@yC$H40NVQf9f(H| ztTiN`U^|;Efd;3r_0zU^RV@exs1@FF)M0ki0LqT$>{s(nAfDmS~8w7}0n*Ikm#(UDU>?U#_d=#tsbMsNjOCr1w!HD-zKpY)p5gg?d z{1-}LZxB6k*~j#%MV_?w$I`BJ5YO)GZsEpl6La8U2MG8G-!WPi3?$9_XB-dn%x}+( z1fFl6#m1!eLmI%iB*N&0TdH1x7^@pUhCy}sging(nSA~V)ox7%rT2v zAC_DWC^8EsIL{VE72baa87|22JAgf2ft{Fe-<`sOC?m>ILgFk{Q*>nbMkzJ;8etc< zqn=uZm5(M}!f!E(V}p*z6-hq4+=DsD!7UBy5e)(nyL?7=Xm_i@#IJ>eQTn#BJ1j3< zD?h|1BkLC~;A`x$$ze?^Gf%lN1G~w1RxQ7?VF#sFICRk9WdhvL=a6Ha+u4641VS?U z4Qmub`_dwZ3a9Rl_g z5iJeRuQX)(q2*h$w+DE!tcB2q6!nzdkJrGr%QyuM1#yj3yoMCEv$QM<9m98qlI*5F0>j|Mx|1Rf)*^b5KYhtT45L*caRyw|EpRktQ8pK=qJA41o?5 zaY>&xo4&wotz)cz8(RAcBp5ZX(Ok)r`h=;kA*~xbdz5%c@0US-oM!GHSbnPjpEZbD zcjk@B7H!{X65EH9=XB|ap1~njrkZwW9+LgqbK!Y7{HH2Mz@?q%OFX{EDTz<;M^!v~ z=~%F{Lrfa8x{T8|f|nA*30E;d17_!~u;{r`Dzd}G^xr(rF6@cRWZQPKsGX|{WY(|y z!)#4&bTV#ic-X+Hlzwqs$T81MxOVZ>b@=qs#UL#Wx#ofT9TP9(lk6w=Fy%2p0513anr zM_9z%?1m=aM>MOxnq2#;KWP-vvs$1J^X+(-U19SekF5tu33`po54ZAe!DN=aZzr7N z^D3E?X`=Q?pW;8UZwc<;+!=8YQzbf+IskHo-?a?(M(@nImrvx?YqYkhmH{~rm#S>m z6MO9cFdz!XB5V?J?-;BrfsGN_FEy)ozI!~Vs(I2;K+PDC4fs5w8myU(ulK&mBN zMw_iFs6KEkp1;l{BUF2XpXR&(&aGl)VbIe~YK2W&vmwi?bAH5C-&^kV;6$~lg{9G& z*yB(HW_O|njGlGS)(Rxu?KN_{cDk}js#v6HWC4Vk(mwA+j-$3Pe(_=oqZf`nRBW3< zN2Rjat+XK?*N(H>6T$(K4w-QJZ&S40k!z#Q!no4q%SrhAA}1RjyN8J6CV3;K+qfT4 z^0o&v5HoXoGv|Rnpg!q#5oLK7AN8sL`&gLwnW9>d;Geh~2V}*8r(FL<)*7M8DoT^G z$6nDiXjG5KH*yyqLcq~>U$Ly1f<0QV+8V_HwT!G)4*#x>b%7@2~k!EWix zhC$>~woCMC+1#Uy=aoRGXZi!g&^PGt)Vhw9yh-_n9>?HN@k?1JpYWsGTh5$GMZS+5 zynOi$rO9}Bu))kH-KwA_q2#bNui%MoUL7eTLRHr}S!v82(QaQ){oL>CK4 zQLW#Xu|nQT$arY;k`c@Dri|iOS>vcMXE4g=z^@SqVb!;A->r+{#I_rtatBCa>TsuFGp(G^iG^bKWTRo@vs zHyb`{l?sAr}CN%dXS3G7h1k@1~r1{ z62zyn3~}7VpxBCDK1H`|Cv{VgXkD^o%((~;fSsQpd<4LcnAbyDX);qvdvuNMl{cs)H#{*RffBLT<%`wSKbNRjQX_(*_7x4QHX61Tl4(7@8|V| zpaMI~AV<_iVYr60hE}+mXkh6F3$K5`clw|zC?EwuDfKzjIaGJ?$lRvb`lFVseB{%$ zU=tfw8f*kl)1>JQ9QONR6$h?XWBDRpUP(x@wc^|~T7chj_Bt;8WE^a(i5q)$`>MW% zR97`7HQe?<%d_UPBnPSfbh3IDVp7{H;FVs}m>nOq(PNmAr548HxCMNf%p0ad4y5u(d+J}xRsd)`6q_f>bK-T4IeSr98*c>#gyiHd_n5WL~H zDsQ^ns_e#9ODq%o3(SfY%XL&+3*Kq7ANn;;o+$ij*8@3s)K`#gw$HOw7o|yba<7pG z(qILtp6!Ip47>V>$0s~+c)~xBh|78BfDS_uIZ?YkoNyfKiC{8XwOB8%U7q|rE3yc#&$gjefY9{>=!32Oy32Hu=-Q67FFE*-QE4(?Allr z&O~#VEr&Q-UY5u6$$!&#_bb*J-ke8k@vC*Ihe*_b;IqKkX7a*hG_!?K-c%P7KjMQ= z3AI(l=ATYQ9YDnx@pf6<%T>!GKI%;(zE$f8xLoh5-+?<|mmo8L$Mr~93anWzv6cwn z)4V`txRz;enF0EWG5_PK0_|+oKj%KDCNGY;Ne#VT(3k3CZ^fJZIut)7Chmr$Qg-^! zI9^xkFaHk9gb=FacPGf?#~DaBLjwSg`$zFY|M%RDKu*+seG-?u#eKk|1?blWTE7OJ z(yy-}+>|#|K$x(Mg4qbE^4es=)uN19>D=vXvFArkcKb~Z&q}+;y1js{?b=K(ROA>M zDw85@@D2Efv@MtDiBxK@P64f&@_TxA*`4}oGy>K>*2hjKWK%UYzUH7Os(WkK9xP2ykYP@5u_$Lh>1 z-$@7x`)B4-NfZJx?Q~j+wm_x*VF!UrAmJkdeOlM1wtJXiw%tdc{Zam%6;{n-2uO1o zWJBj%jYYoh;Me+9fsOQ}RxObu0&|cfXD*FpgzTEN`TlCIwsnZ;+Rs<~NfaI5SLh?W zj;N1m+k8rSWzX*^>8yufq0j%X%zBv-86J2pj;~Q{m*ih7tk30Z3#suYL(5GeRM!l# zM(e$SGR80AkTCw8mogt6R1M^FQ42?rs|Aet$I(r(oJpyXoP%TTQEYOCKie11#zn{; z;A3_RD{@e2M-@c#!Hb3!Q;D3Yg-yr Date: Fri, 20 Dec 2024 08:39:27 -0500 Subject: [PATCH 2/2] clean .DS_Store file --- .DS_Store | Bin 6148 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 .DS_Store diff --git a/.DS_Store b/.DS_Store deleted file mode 100644 index b8dd79a9b1aadd231253725649863c98f0a1ebbe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6148 zcmeHK!A{#i5PeImHjtnfYhV!{Ra;G0KdSA zPso|y-~?}WS7N=vNWGM(+L3l=y`DEaelzxZ0jSQ^unlYisI!TVHrTx)a$nk#tl60@ zYNdVr!WdsM!f*7KtiwcLATY3M49L5?jRA5@aRT@KonVHH?{W*Ln9KdWEFT91?gdta*pSr~?4a+%IQUNZa#)`baplqcx?^;E; zlnV4~S2C?WIhm&Ol@w*7sy9|Lx)4-gATaQr49NE(W)q!QT^OxD9qjZGfI8x|7LMiT zKrpe@iPeSCyhBk2N^PLZ9x;@Gb3V3qiPeSC1`cHpAIh$*>rM