dependencies: last_updated and project_desc metadata. (#13263)

* Added mandatory last_updated metadata to track when a dependency was
  last updated. Backfilled existing dependencies based primarily on
  when the dependency was released, and in some cases based on Envoy
  git history.

* Added project_desc metadata to provide a human understandable
  statement about projects.

* Updated CPEs using the latest CPE database. There were a number of
  dataplane components with missing CPEs.

* Corrected use_category for a number of components.

Risk level: Low
Testing: Build, dashboard inspection.

Part of #12673.

Signed-off-by: Harvey Tuch <[email protected]>

DEPENDENCY_POLICY.md

@@ -21,12 +21,14 @@ An example entry for the `nghttp2` dependency is:
 ```python
 com_github_nghttp2_nghttp2 = dict(
     project_name = "Nghttp2",
+    project_desc = "Implementation of HTTP/2 and its header compression ...",
     project_url = "https://nghttp2.org",
     version = "1.41.0",
     sha256 = "eacc6f0f8543583ecd659faf0a3f906ed03826f1d4157b536b4b385fe47c5bb8",
     strip_prefix = "nghttp2-{version}",
     urls = ["https://github.com/nghttp2/nghttp2/releases/download/v{version}/nghttp2-{version}.tar.gz"],
     use_category = ["dataplane"],
+    last_updated = "2020-06-02",
     cpe = "cpe:2.3:a:nghttp2:nghttp2:*",
 ),
 ```
@@ -40,9 +42,11 @@ Dependency declarations must:
   `{dash_version}`.
 * Versions should prefer release versions over master branch GitHub SHA tarballs. A comment is
   necessary if the latter is used. This comment should contain the reason that a non-release
-  version is being used and the YYYY-MM-DD when the last update was performed.
+  version is being used.
 * Provide accurate entries for `use_category`. Please think carefully about whether there are data
   or control plane implications of the dependency.
+* Reflect the date (YYYY-MM-DD) at which they were last updated in the `last_updated` field. This
+  date is preferably the date at which the PR is created.
 * CPEs are compulsory for all dependencies that are not purely build/test.
   [CPEs](https://en.wikipedia.org/wiki/Common_Platform_Enumeration) provide metadata that allow us
   to correlate with related CVEs in dashboards and other tooling, and also provide a machine

bazel/repositories.bzl

@@ -41,8 +41,15 @@ def _repository_locations():
             _fail_missing_attribute("project_name", key)
         mutable_location.pop("project_name")
 
+        if "project_desc" not in location:
+            _fail_missing_attribute("project_desc", key)
+        mutable_location.pop("project_desc")
+
         if "project_url" not in location:
             _fail_missing_attribute("project_url", key)
+        s = location["project_url"]
+        if not s.startswith("https://") and not s.startswith("http://"):
+            fail("project_url must start with https:// or http://: " + s)
         mutable_location.pop("project_url")
 
         if "version" not in location:
@@ -53,7 +60,21 @@ def _repository_locations():
             _fail_missing_attribute("use_category", key)
         mutable_location.pop("use_category")
 
+        if "last_updated" not in location:
+            _fail_missing_attribute("last_updated", key)
+        s = location["last_updated"]
+
+        # Starlark doesn't have regexes.
+        if len(s) != 10 or s[4] != "-" or s[7] != "-":
+            fail("last_updated must match YYYY-DD-MM: " + s)
+        mutable_location.pop("last_updated")
+
         if "cpe" in location:
+            s = location["cpe"]
+
+            # Starlark doesn't have regexes.
+            if s != "N/A" and (not s.startswith("cpe:2.3:a:") or not s.endswith(":*") and len(s.split(":")) != 6):
+                fail("CPE must match cpe:2.3:a:<facet>:<facet>:*: " + s)
             mutable_location.pop("cpe")
         elif not [category for category in USE_CATEGORIES_WITH_CPE_OPTIONAL if category in location["use_category"]]:
             _fail_missing_attribute("cpe", key)