mardizzone/pos-944 Snyk integration

[marcello33]

Description

This PR integrates snyk security CI into bor GH pipeline.
It executes snyk vulnerabilities check and snyk static code analysis and publish the results into the relative action.
Licenses check has been removed from snyk UI as ours is a open source organization.

Changes

• Bugfix (non-breaking change that solves an issue)
• Hotfix (change that solves an urgent issue, and requires immediate attention)
• New feature (non-breaking change that adds functionality)
• Breaking change (change that is not backwards-compatible and/or changes current functionality)

Checklist

• I have added at least 2 reviewer or the whole pos-v1 team
• I have added sufficient documentation in code
• I will be resolving comments - if any - by pushing each fix in a separate commit and linking the commit hash in the comment reply

Testing

• I have added unit tests
• I have added tests to CI
• I have tested this code manually on local environment
• I have tested this code manually on remote devnet using express-cli
• I have tested this code manually on mumbai
• I have created new e2e tests into express-cli

Manual tests

Used snyk CLI for tests, and embedded security-ci on PR.

[ZeroEkkusu]

@marcello33, for this one and maticnetwork/contracts#440, we'd need to remove coverage (outdated for Truffle), and temporarily Slither until a fix is found (see crytic/slither#1319). Solhint will be fixed.

Does that sound reasonable?

[marcello33]

@marcello33, for this one and maticnetwork/contracts#440, we'd need to remove coverage (outdated for Truffle), and temporarily Slither until a fix is found (see crytic/slither#1319). Solhint will be fixed.

Does that sound reasonable?

Yes, @ZeroEkkusu sounds good to me, thanks

[marcello33]

@ZeroEkkusu just committed one more change to solve a vulnerability issue.
Please notify me when you are done here.

Checks are green, so theoretically LGTM

[ZeroEkkusu]

Done - sorry for not communicating it to you.

[marcello33]

Deprecated