Vulnerability Scanning on Third Party Deps #36506
Conversation
Apologies, I had several responses I needed to click "submit" for multiple responses |
| @@ -0,0 +1,56 @@ | |||
| name: Third party dependency scan | |||
There was a problem hiding this comment.
What does "Notify the person who triggered it" mean? I'd prefer a notification, and not anything that could block developers, like a presubmit check. The new test added below should be the only new thing that engine team members need to pay attention to unless there's a vulnerability detected.
ci/deps_parser_tests.py
Outdated
| } | ||
|
|
||
| # Eval the content. | ||
| exec(deps_content, global_scope_mirror, local_scope_mirror) |
Co-authored-by: Zachary Anderson <[email protected]>
Co-authored-by: Zachary Anderson <[email protected]>
|
cc @zanderso I believe this is good for another review. All outstanding questions seem to be resolved. |
|
Gold has detected about 1 new digest(s) on patchset 221. |
ci/scan_flattened_deps.py
Outdated
| # dep[1] contains the mirror's pinned SHA | ||
| # upstream is the origin repo | ||
| dep_name = dep[0].split('/')[-1].split('.')[0] | ||
| if UPSTREAM_PREFIX + dep_name in deps_list: |
There was a problem hiding this comment.
optional nit: flip the sense, do an early return, then un-indent the try: catch::
if UPSTREAM_PREFIX + dep_name not in deps_list:
print('did not find dep: ' + dep_name)
return {}
try:
...
except ...:
...
return {}There was a problem hiding this comment.
Thank you for this recommendation! I added this early return.
|
Looks like the PR needs a rebase to pass presubs. |
|
Gold has detected about 1 new digest(s) on patchset 222. |
sealesj
added
the
autosubmit
…115952) * 399fca706 [web] Use generic variable name for trusted url (flutter/engine#37872) * acefe5f11 Vulnerability Scanning on Third Party Deps (flutter/engine#36506) * 8a40e8324 Roll Dart SDK from c32f12ffbef2 to a7d1f804fa27 (1 revision) (flutter/engine#37873)
| - name: setup python | ||
| uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 | ||
| with: | ||
| python-version: '3.7.7' # install the python version needed |
There was a problem hiding this comment.
Looks like this is failing https://github.com/flutter/engine/actions/runs/3566233289
…lutter#115952) * 399fca706 [web] Use generic variable name for trusted url (flutter/engine#37872) * acefe5f11 Vulnerability Scanning on Third Party Deps (flutter/engine#36506) * 8a40e8324 Roll Dart SDK from c32f12ffbef2 to a7d1f804fa27 (1 revision) (flutter/engine#37873)
…lutter#115952) * 399fca706 [web] Use generic variable name for trusted url (flutter/engine#37872) * acefe5f11 Vulnerability Scanning on Third Party Deps (flutter/engine#36506) * 8a40e8324 Roll Dart SDK from c32f12ffbef2 to a7d1f804fa27 (1 revision) (flutter/engine#37873)
Introduce vulnerability scanning github workflow on third party dependencies defined in the DEPS file.
Project details
The main flow of the scanning is the following:
extract third party dependencies outlined in the DEPS file
for each of those dependencies:
display the SARIF file report on the Flutter Engine "Security" tab
For more details, see the design document link
Resolves b/230824334
Recipe Test:
Successful recipe run for test outlined in tests.yaml https://chromium-swarm.appspot.com/task?id=5d7f4dc5008f7810Recipe will be added to recipes/engine which will trigger the tests defined in tests.yamlengine/engine_lint recipe updated to ensure that the DEPS file has the correct dependency metadata -- for mirrored deps it is essential to have the upstream repo url in the DEPS file
Successful recipe test: https://chromium-swarm.appspot.com/task?id=5dccb000b2594810
Pre-launch Checklist
writing and running engine tests.
///).If you need help, consider asking for advice on the #hackers-new channel on Discord.