Vulnerability Scanning on Third Party Deps (#36506)

sealesj · zanderso · web-flow · commit acefe5f11a43 · 2022-11-23T15:07:43.000-05:00
* initial flatten deps scan

* move 3rd party scan to separate action

* allow fork to run

* install requests

* use packages

* pip install

* rename

* conditional vuln report

* trailing whitespace

* trailing whitespace

* detailed print

* add testing file

* add upload test sarif

* results sarif

* move sarif

* upload modified sarif

* test flow

* test with results.sarif

* formatting

* test naming convention

* description with text in artifactLocation

* don't use locations

* use template sarif

* just use template

* add one field mod

* add another field mod

* use actual osvReport

* add field

* add field

* test

* no information uri

* no information uri

* add name

* template NA data for results

* back to minimal template

* dynamic rules

* template update

* no results

* only use template

* test

* new test

* new test

* add back locations

* descriptive fields

* test

* use package name

* variable commit hash

* add chromium accessibility readme support

* use batch query test

* clean up

* use variables for sarif template

* initial automating ancestor commit

* allow for workflow on testing

* install gitpython in workflow

* wrap in try

* expand try

* check commit is not none

* quiet clone

* fix commit newline

* proper print for failed deps

* remove gitpython

* remove import

* fix origin source

* remove .dart from dep names

* update dep

* typo

* update

* clone into controlled name repo now

* fix github upstream clone url

* test CVE finding

* use templated rule and result

* typo

* remove test CVE

* add link straight to OSV DB

* comments

* use os mkdir

* check time of pinned commit

* quiet git

* print osv api query results if vulns found

* move upstream mapping into DEPS file

* add testing for DEPS file

* add khronos exception

* add basic ancestor commit test

* no vulns message

* do not produce empty sarif

* add yaml

* remove unused python dep

* no change?

* no more print, causing recipe issues

* string test

* string test

* no more fstrings

* convert to .format

* syntax

* remove unused dep

* test

* switch test script

* no encoding

* add back test

* typo

* remove scan flat deps tests again

* update

* fix tests

* typo

* newline

* use checkout dir

* prefix

* update to use prefix

* lint

* runhook attempt

* lint

* lint

* lint

* lint

* no license blurb

* cleanup

* enable for main

* do not raise error

* run on branch

* data indentation

* check file existence

* workflow updates

* add push for testing

* syntax

* workflow test

* test github action

* syntax

* allow empty report

* update cron

* pin hash

* newline

* sort by key with prefix omitted

* alphabetize, copyright header

* pylint tests

* lint

* lint

* trailing whitespace?

* lint

* update

* get error types

* allow test

* use output

* only main branch

* licenses check

* results.sarif

* revert

* license updates

* add upstream

* replace Requests library with urllib, remove pylint wrapper

* lint

* undo license

* clone test nit

* isinstance

* DEPS formatting

Co-authored-by: Zachary Anderson &lt;zanderso@users.noreply.github.com&gt;

* use subprocess.check_output

* lint

* lint

* review syntax from comments

* remove line

* more description in error

* lint

* fix checkout path

* remove duplicate eval

* lint

* lint

* lint

* clone-test mkdir and cleanup

* use shutil.rmtree for non-empty dir

* lint

* linting

* linting

* var name

* Update ci/deps_parser_tests.py

Co-authored-by: Zachary Anderson &lt;zanderso@users.noreply.github.com&gt;

* Update ci/deps_parser_tests.py

Co-authored-by: Zachary Anderson &lt;zanderso@users.noreply.github.com&gt;

* more description

* lint

* refactor deps file parsing

* early return

* lint

Co-authored-by: Zachary Anderson &lt;zanderso@users.noreply.github.com&gt;
diff --git a/.github/workflows/third_party_scan.yml b/.github/workflows/third_party_scan.yml
@@ -0,0 +1,56 @@
+name: Third party dependency scan
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+    branches: [ main ]
+    schedule:
+      - cron: "0 8 * * *" # runs daily at 08:00
+
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Third party dependency scan
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          persist-credentials: false
+
+      - name: setup python
+        uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
+        with:
+          python-version: '3.7.7' # install the python version needed
+
+      - name: install dependency
+        run: pip install git+https://github.com/psf/requests.git@4d394574f5555a8ddcc38f707e0c9f57f55d9a3b
+
+      - name: execute py script
+        run: python ci/deps_parser.py 
+      
+      - name: parse deps_parser output.txt
+        run: python ci/scan_flattened_deps.py 
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        with:
+          name: SARIF file
+          path: osvReport.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108
+        with:
+          sarif_file: osvReport.sarif
diff --git a/DEPS b/DEPS
@@ -97,6 +97,122 @@ vars = {
 
   # Setup Git hooks by default.
   "setup_githooks": True,
+
+  # Upstream URLs for third party dependencies, used in
+  # determining common ancestor commit for vulnerability scanning
+  # prefixed with 'upstream_' in order to be identified by parsing tool.
+  # The vulnerabiity database being used in this scan can be browsed
+  # using this UI https://osv.dev/list
+  # If a new dependency needs to be added, the upstream (non-mirrored)
+  # git URL for that dependency should be added to this list 
+  # with the key-value pair being:
+  # 'upstream_[dep name from last slash and before .git in URL]':'[git URL]'
+  # example: 
+  "upstream_abseil-cpp": "https://github.com/abseil/abseil-cpp.git",
+  "upstream_angle": "https://github.com/google/angle.git",
+  "upstream_archive": "https://github.com/brendan-duncan/archive.git",
+  "upstream_args": "https://github.com/dart-lang/args.git",
+  "upstream_async": "https://github.com/dart-lang/async.git",
+  "upstream_bazel_worker": "https://github.com/dart-lang/bazel_worker.git",
+  "upstream_benchmark": "https://github.com/google/benchmark.git",
+  "upstream_boolean_selector": "https://github.com/dart-lang/boolean_selector.git",
+  "upstream_boringssl_gen": "https://github.com/dart-lang/boringssl_gen.git",
+  "upstream_boringssl": "https://github.com/openssl/openssl.git",
+  "upstream_browser_launcher": "https://github.com/dart-lang/browser_launcher.git",
+  "upstream_buildroot": "https://github.com/flutter/buildroot.git",
+  "upstream_cli_util": "https://github.com/dart-lang/cli_util.git",
+  "upstream_clock": "https://github.com/dart-lang/clock.git",
+  "upstream_collection": "https://github.com/dart-lang/collection.git",
+  "upstream_colorama": "https://github.com/tartley/colorama.git",
+  "upstream_convert": "https://github.com/dart-lang/convert.git",
+  "upstream_crypto": "https://github.com/dart-lang/crypto.git",
+  "upstream_csslib": "https://github.com/dart-lang/csslib.git",
+  "upstream_dart_style": "https://github.com/dart-lang/dart_style.git",
+  "upstream_dartdoc": "https://github.com/dart-lang/dartdoc.git",
+  "upstream_equatable": "https://github.com/felangel/equatable.git",
+  "upstream_ffi": "https://github.com/dart-lang/ffi.git",
+  "upstream_file": "https://github.com/google/file.dart.git",
+  "upstream_fixnum": "https://github.com/dart-lang/fixnum.git",
+  "upstream_flatbuffers": "https://github.com/google/flatbuffers.git",
+  "upstream_fontconfig": "https://gitlab.freedesktop.org/fontconfig/fontconfig.git",
+  "upstream_freetype2": "https://gitlab.freedesktop.org/freetype/freetype.git",
+  "upstream_gcloud": "https://github.com/dart-lang/gcloud.git",
+  "upstream_glfw": "https://github.com/glfw/glfw.git",
+  "upstream_glob": "https://github.com/dart-lang/glob.git",
+  "upstream_googleapis": "https://github.com/google/googleapis.dart.git",
+  "upstream_googletest": "https://github.com/google/googletest.git",
+  "upstream_gtest-parallel": "https://github.com/google/gtest-parallel.git",
+  "upstream_harfbuzz": "https://github.com/harfbuzz/harfbuzz.git",
+  "upstream_html": "https://github.com/dart-lang/html.git",
+  "upstream_http_multi_server": "https://github.com/dart-lang/http_multi_server.git",
+  "upstream_http_parser": "https://github.com/dart-lang/http_parser.git",
+  "upstream_http": "https://github.com/dart-lang/http.git",
+  "upstream_icu": "https://github.com/unicode-org/icu.git",
+  "upstream_imgui": "https://github.com/ocornut/imgui.git",
+  "upstream_inja": "https://github.com/pantor/inja.git",
+  "upstream_json": "https://github.com/nlohmann/json.git",
+  "upstream_json_rpc_2": "https://github.com/dart-lang/json_rpc_2.git",
+  "upstream_libcxx": "https://github.com/llvm-mirror/libcxx.git",
+  "upstream_libcxxabi": "https://github.com/llvm-mirror/libcxxabi.git",
+  "upstream_libexpat": "https://github.com/libexpat/libexpat.git",
+  "upstream_libjpeg-turbo": "https://github.com/libjpeg-turbo/libjpeg-turbo.git",
+  "upstream_libpng": "https://github.com/glennrp/libpng.git",
+  "upstream_libtess2": "https://github.com/memononen/libtess2.git",
+  "upstream_libwebp": "https://chromium.googlesource.com/webm/libwebp.git",
+  "upstream_libxml": "https://gitlab.gnome.org/GNOME/libxml2.git",
+  "upstream_linter": "https://github.com/dart-lang/linter.git",
+  "upstream_logging": "https://github.com/dart-lang/logging.git",
+  "upstream_markdown": "https://github.com/dart-lang/markdown.git",
+  "upstream_matcher": "https://github.com/dart-lang/matcher.git",
+  "upstream_mime": "https://github.com/dart-lang/mime.git",
+  "upstream_mockito": "https://github.com/dart-lang/mockito.git",
+  "upstream_oauth2": "https://github.com/dart-lang/oauth2.git",
+  "upstream_ocmock": "https://github.com/erikdoe/ocmock.git",
+  "upstream_package_config": "https://github.com/dart-lang/package_config.git",
+  "upstream_packages": "https://github.com/flutter/packages.git",
+  "upstream_path": "https://github.com/dart-lang/path.git",
+  "upstream_platform": "https://github.com/google/platform.dart.git",
+  "upstream_pool": "https://github.com/dart-lang/pool.git",
+  "upstream_process_runner": "https://github.com/google/process_runner.git",
+  "upstream_process": "https://github.com/google/process.dart.git",
+  "upstream_protobuf": "https://github.com/google/protobuf.dart.git",
+  "upstream_pub_semver": "https://github.com/dart-lang/pub_semver.git",
+  "upstream_pub": "https://github.com/dart-lang/pub.git",
+  "upstream_pyyaml": "https://github.com/yaml/pyyaml.git",
+  "upstream_quiver-dart": "https://github.com/google/quiver-dart.git",
+  "upstream_rapidjson": "https://github.com/Tencent/rapidjson.git",
+  "upstream_root_certificates": "https://github.com/dart-lang/root_certificates.git",
+  "upstream_sdk": "https://github.com/dart-lang/sdk.git",
+  "upstream_shaderc": "https://github.com/google/shaderc.git",
+  "upstream_shelf": "https://github.com/dart-lang/shelf.git",
+  "upstream_skia": "https://skia.googlesource.com/skia.git",
+  "upstream_source_map_stack_trace": "https://github.com/dart-lang/source_map_stack_trace.git",
+  "upstream_source_maps": "https://github.com/dart-lang/source_maps.git",
+  "upstream_source_span": "https://github.com/dart-lang/source_span.git",
+  "upstream_sqlite": "https://github.com/sqlite/sqlite.git",
+  "upstream_sse": "https://github.com/dart-lang/sse.git",
+  "upstream_stack_trace": "https://github.com/dart-lang/stack_trace.git",
+  "upstream_stream_channel": "https://github.com/dart-lang/stream_channel.git",
+  "upstream_string_scanner": "https://github.com/dart-lang/string_scanner.git",
+  "upstream_SwiftShader": "https://swiftshader.googlesource.com/SwiftShader.git",
+  "upstream_term_glyph": "https://github.com/dart-lang/term_glyph.git",
+  "upstream_test_reflective_loader": "https://github.com/dart-lang/test_reflective_loader.git",
+  "upstream_test": "https://github.com/dart-lang/test.git",
+  "upstream_tinygltf": "https://github.com/syoyo/tinygltf.git",
+  "upstream_typed_data": "https://github.com/dart-lang/typed_data.git",
+  "upstream_usage": "https://github.com/dart-lang/usage.git",
+  "upstream_vector_math": "https://github.com/google/vector_math.dart.git",
+  "upstream_Vulkan-Headers": "https://github.com/KhronosGroup/Vulkan-Headers.git",
+  "upstream_VulkanMemoryAllocator": "https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator.git",
+  "upstream_watcher": "https://github.com/dart-lang/watcher.git",
+  "upstream_web_socket_channel": "https://github.com/dart-lang/web_socket_channel.git",
+  "upstream_webdev": "https://github.com/dart-lang/webdev.git",
+  "upstream_webkit_inspection_protocol": "https://github.com/google/webkit_inspection_protocol.dart.git",
+  "upstream_wuffs-mirror-release-c": "https://github.com/google/wuffs-mirror-release-c.git",
+  "upstream_yaml_edit": "https://github.com/dart-lang/yaml_edit.git",
+  "upstream_yaml": "https://github.com/dart-lang/yaml.git",
+  "upstream_yapf": "https://github.com/google/yapf.git",
+  "upstream_zlib": "https://github.com/madler/zlib.git",
 }
 
 gclient_gn_args_file = 'src/third_party/dart/build/config/gclient_args.gni'
diff --git a/ci/deps_parser.py b/ci/deps_parser.py
@@ -3,7 +3,7 @@
 # Copyright 2013 The Flutter Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
-
+#
 # Usage: deps_parser.py --deps <DEPS file> --output <flattened deps>
 #
 # This script parses the DEPS file, extracts the fully qualified dependencies
@@ -12,11 +12,16 @@
 
 import argparse
 import os
+import re
 import sys
 
 SCRIPT_DIR = os.path.dirname(sys.argv[0])
 CHECKOUT_ROOT = os.path.realpath(os.path.join(SCRIPT_DIR, '..'))
 
+CHROMIUM_README_FILE = 'third_party/accessibility/README.md'
+CHROMIUM_README_COMMIT_LINE = 4  # the fifth line will always contain the commit hash
+CHROMIUM = 'https://chromium.googlesource.com/chromium/src'
+
 
 # Used in parsing the DEPS file.
 class VarImpl:
@@ -55,15 +60,30 @@ def parse_deps_file(deps_file):
   # Extract the deps and filter.
   deps = local_scope.get('deps', {})
   filtered_deps = []
-  for val in deps.values():
+  for _, dep in deps.items():
     # We currently do not support packages or cipd which are represented
     # as dictionaries.
-    if isinstance(val, str):
-      filtered_deps.append(val)
-
+    if isinstance(dep, str):
+      filtered_deps.append(dep)
   return filtered_deps
 
 
+def parse_readme(deps):
+  """
+  Opens the Flutter Accessibility Library README and uses the commit hash
+  found in the README to check for viulnerabilities.
+  The commit hash in this README will always be in the same format
+  """
+  file_path = os.path.join(CHECKOUT_ROOT, CHROMIUM_README_FILE)
+  with open(file_path) as file:
+    # read the content of the file opened
+    content = file.readlines()
+    commit_line = content[CHROMIUM_README_COMMIT_LINE]
+    commit = re.search(r'(?<=\[).*(?=\])', commit_line)
+    deps.append(CHROMIUM + '@' + commit.group())
+    return deps
+
+
 def write_manifest(deps, manifest_file):
   print('\n'.join(sorted(deps)))
   with open(manifest_file, 'w') as manifest:
@@ -97,6 +117,7 @@ def parse_args(args):
 def main(argv):
   args = parse_args(argv)
   deps = parse_deps_file(args.deps)
+  deps = parse_readme(deps)
   write_manifest(deps, args.output)
   return 0
 
diff --git a/ci/deps_parser_tests.py b/ci/deps_parser_tests.py
@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+#
+# Copyright 2013 The Flutter Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import os
+import sys
+import unittest
+from deps_parser import VarImpl
+
+SCRIPT_DIR = os.path.dirname(sys.argv[0])
+CHECKOUT_ROOT = os.path.realpath(os.path.join(SCRIPT_DIR, '..'))
+DEPS = os.path.join(CHECKOUT_ROOT, 'DEPS')
+UPSTREAM_PREFIX = 'upstream_'
+
+
+class TestDepsParserMethods(unittest.TestCase):
+  # Extract both mirrored dep names and URLs &
+  # upstream names and URLs from DEPs file.
+  def setUp(self):  # lower-camel-case for the python unittest framework
+    # Read the content.
+    with open(DEPS, 'r') as file:
+      deps_content = file.read()
+
+    local_scope_mirror = {}
+    var = VarImpl(local_scope_mirror)
+    global_scope_mirror = {
+        'Var': var.lookup,
+        'deps_os': {},
+    }
+
+    # Eval the content.
+    exec(deps_content, global_scope_mirror, local_scope_mirror)
+
+    # Extract the upstream URLs
+    # vars contains more than just upstream URLs
+    # however the upstream URLs are prefixed with 'upstream_'
+    upstream = local_scope_mirror.get('vars')
+    self.upstream_urls = upstream
+
+    # Extract the deps and filter.
+    deps = local_scope_mirror.get('deps', {})
+    filtered_deps = []
+    for _, dep in deps.items():
+      # We currently do not support packages or cipd which are represented
+      # as dictionaries.
+      if isinstance(dep, str):
+        filtered_deps.append(dep)
+    self.deps = filtered_deps
+
+  def test_each_dep_has_upstream_url(self):
+    # For each DEP in the deps file, check for an associated upstream URL in deps file.
+    for dep in self.deps:
+      dep_repo = dep.split('@')[0]
+      dep_name = dep_repo.split('/')[-1].split('.')[0]
+      # vulkan-deps and khronos do not have one upstream URL
+      # all other deps should have an associated upstream URL for vuln scanning purposes
+      if dep_name not in ('vulkan-deps', 'khronos'):
+        # Add the prefix on the dep name when searching for the upstream entry.
+        self.assertTrue(
+            UPSTREAM_PREFIX + dep_name in self.upstream_urls,
+            msg=dep_name + ' not found in upstream URL list. ' +
+            'Each dep in the "deps" section of DEPS file must have associated upstream URL'
+        )
+
+  def test_each_upstream_url_has_dep(self):
+    # Parse DEPS into dependency names.
+    deps_names = []
+    for dep in self.deps:
+      dep_repo = dep.split('@')[0]
+      dep_name = dep_repo.split('/')[-1].split('.')[0]
+      deps_names.append(dep_name)
+
+    # For each upstream URL dep, check it exists as in DEPS.
+    for upsream_dep in self.upstream_urls:
+      # Only test on upstream deps in vars section which start with the upstream prefix
+      if upsream_dep.startswith(UPSTREAM_PREFIX):
+        # Strip the prefix to check that it has a corresponding dependency in the DEPS file
+        self.assertTrue(
+            upsream_dep[len(UPSTREAM_PREFIX):] in deps_names,
+            msg=upsream_dep + ' from upstream list not found in DEPS. ' +
+            'Each upstream URL in DEPS file must have an associated dep in the "deps" section'
+        )
+
+
+if __name__ == '__main__':
+  unittest.main()
diff --git a/ci/scan_flattened_deps.py b/ci/scan_flattened_deps.py
