flutter
Vulnerability Scanning on Third Party Deps
Introduce vulnerability scanning github workflow on third party dependencies defined in the DEPS file.
Project details The main flow of the scanning is the following: extract third party dependencies outlined in the DEPS file for each of those dependencies:
- check there is a pinned commit hash value
- use the corresponding upstream dependency url (found in DEPS file, vars section) to find a commit hash that the mirror dependency has most recently in common
- use the above commit hash in common to query the Open Source Vulnerability database for potential vulnerabilities on the dependency
- if a vulnerability is found, add the details to a SARIF file display the SARIF file report on the Flutter Engine "Security" tab For more details, see the design document link
Resolves b/230824334
Recipe Test: ~Successful recipe run for test outlined in tests.yaml https://chromium-swarm.appspot.com/task?id=5d7f4dc5008f7810~ ~Recipe will be added to recipes/engine which will trigger the tests defined in tests.yaml~ engine/engine_lint recipe updated to ensure that the DEPS file has the correct dependency metadata -- for mirrored deps it is essential to have the upstream repo url in the DEPS file Successful recipe test: https://chromium-swarm.appspot.com/task?id=5dccb000b2594810
Pre-launch Checklist
- [x] I read the Contributor Guide and followed the process outlined there for submitting PRs.
- [x] I read the Tree Hygiene wiki page, which explains my responsibilities.
- [x] I read and followed the Flutter Style Guide and the C++, Objective-C, Java style guides.
- [x] I listed at least one issue that this PR fixes in the description above.
- [x] I added new tests to check the change I am making or feature I am adding, or Hixie said the PR is test-exempt. See testing the engine for instructions on writing and running engine tests.
- [x] I updated/added relevant documentation (doc comments with
///). - [x] I signed the CLA.
- [x] All existing and new tests are passing.
If you need help, consider asking for advice on the #hackers-new channel on Discord.
The presubmits are failing on a couple of lints:
************* Module ci.scan_flattened_deps
ci/scan_flattened_deps.py:15:0: E0401: Unable to import 'requests' (import-error)
ci/scan_flattened_deps.py:262:13: W0703: Catching too general exception Exception (broad-except)
From Triage: @sealesj Is this stale or are you still looking for a review. @zanderso wasn't sure which PR to review.
Gold has detected about 1 new digest(s) on patchset 201. View them at https://flutter-engine-gold.skia.org/cl/github/36506
@zanderso I need to use 'setUp' in lower-camel-case for the python unittest framework, but I can change the other methods to follow this style as well if necessary. I was following the example naming convention here https://docs.python.org/3/library/unittest.html#organizing-test-code
@zanderso I need to use 'setUp' in lower-camel-case for the python unittest framework, but I can change the other methods to follow this style as well if necessary. I was following the example naming convention here https://docs.python.org/3/library/unittest.html#organizing-test-code
Ahh, I see. I think our yapf setup might prefer the lower_case_underscore style. In that case, can you note the exception for setUp in a comment?
Sorry for the delay. Still hoping for answers to the open questions I had.
Apologies, I had several responses I needed to click "submit" for multiple responses
cc @zanderso I believe this is good for another review. All outstanding questions seem to be resolved.
Gold has detected about 1 new digest(s) on patchset 221. View them at https://flutter-engine-gold.skia.org/cl/github/36506
Gold has detected about 1 new digest(s) on patchset 222. View them at https://flutter-engine-gold.skia.org/cl/github/36506