BCOS: fair scoring, ledger anchor endpoint, attest epoch, rustchain.org routing#7890
Merged
Conversation
The vulnerability and dependency-freshness checks audited whatever Python packages happened to be installed on the machine running the scan, not the repository being certified. Bare pip-audit reports the ambient environment, and osv-scanner (which does scan the repo tree) only ran when pip-audit was absent. A pure C or retro project with no Python dependencies of its own was scored on the scanning host's unrelated packages, which is both unfair and wrong: the same repo could score 57 or 85 depending on which machine ran it. Make both checks project-scoped and language-aware. Prefer osv-scanner against the repo tree (it reads lockfiles and committed CycloneDX/SPDX SBOMs, so it covers C, Rust, Go and npm, not just Python), and run pip-audit only against the project's own requirements files. A project that declares no dependency manifest genuinely has nothing that can be vulnerable or outdated and is scored clean, with a note saying so. A project that does declare deps is still fully scanned and penalized for real CVEs (verified: a repo pinning jinja2 2.10 is still flagged). The result no longer depends on the scanner's host environment. Signed-off-by: Scott <scottbphone12@gmail.com>
Implement the on-chain anchor step that was previously missing (the endpoint
returned 404). POST /api/v1/bcos/anchor {cert_id} records an already-attested
certificate's commitment as a permanent zero-value memo entry in the RustChain
ledger, stamps the attestation with the resulting tx hash and the current
epoch, and is idempotent (an already-anchored cert returns its existing tx hash
rather than writing a second row). Admin-key gated, like attest.
Details:
- adds the anchor_tx column to bcos_attestations (in the CREATE for fresh
installs, and via an idempotent ALTER migration in register_bcos_routes for
existing ones)
- reads the authoritative epoch/slot from the node's own /epoch endpoint over
localhost, since the main module is not importable (its filename has dots)
and rip_200_round_robin_1cpu1vote has no current_slot
- the verify endpoint now returns anchor_tx so the ledger anchor is visible to
anyone verifying a cert
Deploy dependency: the public vhost must proxy /bcos/ and /api/v1/bcos/ to the
node. On rustchain.org this meant adding two nginx location blocks (the /bcos/
one as ^~ so the badge .svg is proxied and not caught by the static-file regex
location). Without those, the routes are only reachable on the node address.
Signed-off-by: Scott <scottbphone12@gmail.com>
…choring The attest route tried to record the epoch via `from rip_200_round_robin_1cpu1vote import current_slot`, but that module has no current_slot, so the import always failed and every attestation stored a null epoch. It also wrote the result into anchored_epoch, which conflates "recorded in the registry" with "written to the ledger." Separate the two honestly. Attest now stamps a new attested_epoch column and leaves anchored_epoch NULL; anchored_epoch is set only by /api/v1/bcos/anchor. Both attest and anchor read the epoch from a shared _node_epoch_slot() helper that asks the node's own /epoch endpoint (verified: a fresh attest now returns attested_epoch 213, anchored_epoch null). The new column is added in the CREATE for fresh installs and via an idempotent ALTER for existing ones, and the verify endpoint now returns attested_epoch alongside anchored_epoch and anchor_tx. Signed-off-by: Scott <scottbphone12@gmail.com>
The public rustchain.org vhost was missing proxy blocks for the BCOS routes, so the node served them but they 404'd through the domain (the catch-all location fell through to try_files). Capture the two location blocks that were added to production: /bcos/ as ^~ so the badge SVG is proxied and not caught by the static .svg regex location, and /api/v1/bcos/ for the anchor API. Same upstream (127.0.0.1:8099) as the other node routes. Signed-off-by: Scott <scottbphone12@gmail.com>
Contributor
|
| Metric | Value |
|---|---|
| Trust Score | 48/100 |
| Certificate ID | BCOS-9018b53f |
| Tier | L1 (not met) |
What does this mean?
The BCOS (Beacon Certified Open Source) engine scans for:
- SPDX license header compliance
- Known CVE vulnerabilities (OSV database)
- Static analysis findings (Semgrep)
- SBOM completeness
- Dependency freshness
- Test infrastructure evidence
- Review attestation tier
BCOS v2 Engine - Free & Open Source (MIT) - Elyan Labs
Contributor
RTC RewardThis merged PR earned 5 RTC — sent to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Lands the BCOS work that is already running on the production node, plus the nginx routing it depends on.
What is in here
tools/bcos_engine.py): the vulnerability and dependency-freshness checks audited whatever Python packages were installed on the machine running the scan, not the repo being certified. A pure C/retro project scored 57 or 85 depending on the host. Now both checks scan the project's own declared dependencies (osv-scanner on the tree, pip-audit only against the project's requirements files); a project with no manifest is scored clean, not on the scanner's environment. Verified: a repo pinning a vulnerable jinja2 is still flagged.node/bcos_routes.py):POST /api/v1/bcos/anchor {cert_id}records an attested cert's commitment as a permanent zero-value memo entry in the RustChain ledger, stampsanchored_epoch+anchor_tx, and is idempotent. Adds theanchor_txcolumn (CREATE + idempotent ALTER). This endpoint previously 404'd.node/bcos_routes.py): attest tried to read the epoch via a module that has nocurrent_slot, so every attestation stored a null epoch intoanchored_epoch(conflating attested with anchored). Now attest stamps a separateattested_epochand leavesanchored_epochfor the anchor step; both read the epoch from a shared helper that asks the node's own/epoch.site/nginx-rustchain-org.conf): capture the two location blocks added to production so rustchain.org actually serves the BCOS routes (/bcos/as^~so the badge SVG is proxied, and/api/v1/bcos/).Deployed + verified
All of this is live on node 50.28.86.131 and the whole cert fleet (46/46) is now anchored and publicly verifiable, e.g. https://rustchain.org/bcos/verify/BCOS-5664a2af returns
verified: true, anchored_epoch, anchor_tx.🤖 Generated with Claude Code