-
Notifications
You must be signed in to change notification settings - Fork 6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability Scanning on Third Party Deps #36506
Conversation
…deps-parse-workflow
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the delay. Still hoping for answers to the open questions I had.
Apologies, I had several responses I needed to click "submit" for multiple responses |
@@ -0,0 +1,56 @@ | |||
name: Third party dependency scan |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does "Notify the person who triggered it" mean? I'd prefer a notification, and not anything that could block developers, like a presubmit check. The new test added below should be the only new thing that engine team members need to pay attention to unless there's a vulnerability detected.
ci/deps_parser_tests.py
Outdated
} | ||
|
||
# Eval the content. | ||
exec(deps_content, global_scope_mirror, local_scope_mirror) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this resolved?
Co-authored-by: Zachary Anderson <[email protected]>
Co-authored-by: Zachary Anderson <[email protected]>
cc @zanderso I believe this is good for another review. All outstanding questions seem to be resolved. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is getting close. Just a couple more comments.
Gold has detected about 1 new digest(s) on patchset 221. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm w/ optional nit
Still not entirely sure I understand how this is going to work in practice, but we can tweak it as we go.
ci/scan_flattened_deps.py
Outdated
# dep[1] contains the mirror's pinned SHA | ||
# upstream is the origin repo | ||
dep_name = dep[0].split('/')[-1].split('.')[0] | ||
if UPSTREAM_PREFIX + dep_name in deps_list: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
optional nit: flip the sense, do an early return, then un-indent the try: catch:
:
if UPSTREAM_PREFIX + dep_name not in deps_list:
print('did not find dep: ' + dep_name)
return {}
try:
...
except ...:
...
return {}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this recommendation! I added this early return.
Looks like the PR needs a rebase to pass presubs. |
Gold has detected about 1 new digest(s) on patchset 222. |
…115952) * 399fca706 [web] Use generic variable name for trusted url (flutter/engine#37872) * acefe5f11 Vulnerability Scanning on Third Party Deps (flutter/engine#36506) * 8a40e8324 Roll Dart SDK from c32f12ffbef2 to a7d1f804fa27 (1 revision) (flutter/engine#37873)
- name: setup python | ||
uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6 | ||
with: | ||
python-version: '3.7.7' # install the python version needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this is failing https://github.com/flutter/engine/actions/runs/3566233289
…lutter#115952) * 399fca706 [web] Use generic variable name for trusted url (flutter/engine#37872) * acefe5f11 Vulnerability Scanning on Third Party Deps (flutter/engine#36506) * 8a40e8324 Roll Dart SDK from c32f12ffbef2 to a7d1f804fa27 (1 revision) (flutter/engine#37873)
…lutter#115952) * 399fca706 [web] Use generic variable name for trusted url (flutter/engine#37872) * acefe5f11 Vulnerability Scanning on Third Party Deps (flutter/engine#36506) * 8a40e8324 Roll Dart SDK from c32f12ffbef2 to a7d1f804fa27 (1 revision) (flutter/engine#37873)
Introduce vulnerability scanning github workflow on third party dependencies defined in the DEPS file.
Project details
The main flow of the scanning is the following:
extract third party dependencies outlined in the DEPS file
for each of those dependencies:
display the SARIF file report on the Flutter Engine "Security" tab
For more details, see the design document link
Resolves b/230824334
Recipe Test:
Successful recipe run for test outlined in tests.yaml https://chromium-swarm.appspot.com/task?id=5d7f4dc5008f7810Recipe will be added to recipes/engine which will trigger the tests defined in tests.yamlengine/engine_lint recipe updated to ensure that the DEPS file has the correct dependency metadata -- for mirrored deps it is essential to have the upstream repo url in the DEPS file
Successful recipe test: https://chromium-swarm.appspot.com/task?id=5dccb000b2594810
Pre-launch Checklist
writing and running engine tests.
///
).If you need help, consider asking for advice on the #hackers-new channel on Discord.