Re-Enable Vulnerability 3p Scanning Workflow (flutter/engine#42049)

After migrating to standalone yaml (rather than included as a part of the scorecards yaml), the vuln scanning workflow needs to be re-enabled with sarif results uploading to the dashboard under the security tab. A successful test run of this workflow can be seen at https://github.com/flutter/engine/actions/runs/4982210161 (in linked run, fails to upload SARIF file given lack of permissions on any branch besides default)

This change also adds use of cwd in python subprocess commands rather than using directory prefix in command string.

Addresses b/280294707

*If you had to change anything in the [flutter/tests] repo, include a link to the migration guide as per the [breaking change policy].*

[C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style

engine/src/flutter/.github/workflows/third_party_scan.yml

@@ -22,5 +22,19 @@ jobs:
         uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: '3.7.7' # install the python version needed
-      - name: "execute py script"
+      - name: "extract and flatten deps"
         run: python ci/deps_parser.py
+      - name: "scan deps for vulnerabilities"
+        run: python ci/scan_flattened_deps.py
+      # Upload the results as artifacts.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          name: SARIF file
+          path: osvReport.sarif
+          retention-days: 5
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to security tab"
+        uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
+        with:
+          sarif_file: osvReport.sarif

engine/src/flutter/ci/scan_flattened_deps.py

@@ -33,10 +33,15 @@ failed_deps = []  # deps which fail to be cloned or git-merge based
 sarif_log = {
     '$schema':
         'https://json.schemastore.org/sarif-2.1.0.json', 'version':
-            '2.1.0', 'runs': [{
-                'tool': {'driver': {'name': 'OSV Scan', 'rules': []}},
-                'results': []
-            }]
+            '2.1.0',
+    'runs': [{
+        'tool': {
+            'driver': {
+                'name': 'OSV Scan', 'informationUri': 'https://osv.dev/',
+                'semanticVersion': '1.0.0', 'rules': []
+            }
+        }, 'results': []
+    }]
 }
 
 
@@ -49,9 +54,7 @@ def sarif_result():
       'ruleId':
           'N/A', 'message': {'text': 'OSV Scan Finding'}, 'locations': [{
               'physicalLocation': {
-                  'artifactLocation': {
-                      'uri': 'No location associated with this finding'
-                  },
+                  'artifactLocation': {'uri': 'DEPS'},
                   'region': {'startLine': 1, 'startColumn': 1, 'endColumn': 1}
               }
           }]
@@ -184,9 +187,8 @@ def get_common_ancestor_commit(dep, deps_list):
     upstream = deps_list.get(UPSTREAM_PREFIX + dep_name)
     temp_dep_dir = DEP_CLONE_DIR + '/' + dep_name
     # clone dependency from mirror
-    subprocess.check_output([
-        'git', 'clone', '--quiet', '--', dep[0], temp_dep_dir
-    ])
+    subprocess.check_output(['git', 'clone', '--quiet', '--', dep[0], dep_name],
+                            cwd=DEP_CLONE_DIR)
 
     # create branch that will track the upstream dep
     print(
@@ -194,36 +196,30 @@ def get_common_ancestor_commit(dep, deps_list):
             upstream=upstream
         )
     )
-    subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'remote', 'add', 'upstream',
-        upstream
-    ])
-    subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'fetch', '--quiet',
-        'upstream'
-    ])
+    subprocess.check_output(['git', 'remote', 'add', 'upstream', upstream],
+                            cwd=temp_dep_dir)
+    subprocess.check_output(['git', 'fetch', '--quiet', 'upstream'],
+                            cwd=temp_dep_dir)
     # get name of the default branch for upstream (e.g. main/master/etc.)
     default_branch = subprocess.check_output(
-        'git --git-dir ' + temp_dep_dir + '/.git remote show upstream ' +
-        "| sed -n \'/HEAD branch/s/.*: //p\'",
+        'git remote show upstream ' + "| sed -n \'/HEAD branch/s/.*: //p\'",
+        cwd=temp_dep_dir,
         shell=True
     )
     default_branch = byte_str_decode(default_branch)
     default_branch = default_branch.strip()
-    print(
-        'default_branch found: {default_branch}'.format(
-            default_branch=default_branch
-        )
-    )
+
     # make upstream branch track the upstream dep
     subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'checkout', '-b',
-        'upstream', '--track', 'upstream/' + default_branch
-    ])
+        'git', 'checkout', '--force', '-b', 'upstream', '--track',
+        'upstream/' + default_branch
+    ],
+                            cwd=temp_dep_dir)
     # get the most recent commit from default branch of upstream
     commit = subprocess.check_output(
-        'git --git-dir ' + temp_dep_dir + '/.git for-each-ref ' +
+        'git for-each-ref ' +
         "--format=\'%(objectname:short)\' refs/heads/upstream",
+        cwd=temp_dep_dir,
         shell=True
     )
     commit = byte_str_decode(commit)
@@ -231,9 +227,8 @@ def get_common_ancestor_commit(dep, deps_list):
 
     # perform merge-base on most recent default branch commit and pinned mirror commit
     ancestor_commit = subprocess.check_output(
-        'git --git-dir {temp_dep_dir}/.git merge-base {commit} {depUrl}'.format(
-            temp_dep_dir=temp_dep_dir, commit=commit, depUrl=dep[1]
-        ),
+        'git merge-base {commit} {depUrl}'.format(commit=commit, depUrl=dep[1]),
+        cwd=temp_dep_dir,
         shell=True
     )
     ancestor_commit = byte_str_decode(ancestor_commit)