Emmanuel T Odeke

ci: .github/workflows: add staticmajor to catch leaking resources

1

Brings in a static analyzer that catches leaking resources like unclosed file handles, networking handles etc that can't easily be caught except in very critical code reviews as well as...

Makefile: mitigate supply chain risk of curl downloading rogue protobuf dependencies without verifying nor signing

1

## Currently Currently in the Makefile the following code exists to download and build the protobuf dependencies from Tendermint https://github.com/cosmos/cosmos-sdk/blob/40180cda8fe96a11c4797a7faf634673e545e19a/Makefile#L433-L457 ## Risk Our software supply chain security partner and vendor...

ICS2: maximum length of client type in client identifier is not specified and can be abused

3

The specs do define the character set of the client identifier as ASCII per  however, they don't specify a maximum length I discovered this while auditing ibc-go per https://github.com/cosmos/ibc-go/issues/2269...

security: fix resource leaks from staticmajor + add cosmos/gosec & staticmajor

3

This change fixes resource leaks identified by a static analyzer from Orijtech Inc called "staticmajor". While here, also added cosmos/gosec scanning which will help with running security rules and take...

Handling realloc fails

1

Addressing issue : 'realloc may return NULL #23'

Hello there @liviosoares, thank you for the great library and for the hardwork! We are interested in using your packages. However, we aren't able to use it to stream to...

build: Makefile: add Go vulnerability checker

4

Adds the Go vulnerability checker to the Makefile as a directive dependency to the all directive to ensure that we get security updates scalably.

The code cited has a small inconsistency that if a module was added to app.basicManager and not to app.ModuleManager.Modules, it will be memoized then the loop will return but yet...

Noticed in a security audit that this code for LegacyNewDec only checks that precision > LegacyPrecision https://github.com/cosmos/cosmos-sdk/blob/00ad3ecedc9be2a419e255b165f3e55a21b95ed7/math/dec.go#L81-L86 but then blindly passes the value to index precisionMultipliers Reproduction: ```go func TestDecPrecision(t...

## Summary of Bug Noticed in an audit for cosmos/gaia that the code inside https://github.com/cosmos/cosmos-sdk/blob/8cce7480917c90326c0c8a3bc2d26d1d3c29a33f/store/streaming/file/service.go#L191-L227 firstly creates a file but that file is only ever closed at the very end...