From d41a0690bcef0147fe47a1881c0a99f9cb37e020 Mon Sep 17 00:00:00 2001 From: Jesse Seales <103135467+sealesj@users.noreply.github.com> Date: Wed, 17 May 2023 12:22:58 -0400 Subject: [PATCH] Re-Enable Vulnerability 3p Scanning Workflow (flutter/engine#42049) After migrating to standalone yaml (rather than included as a part of the scorecards yaml), the vuln scanning workflow needs to be re-enabled with sarif results uploading to the dashboard under the security tab. A successful test run of this workflow can be seen at https://github.com/flutter/engine/actions/runs/4982210161 (in linked run, fails to upload SARIF file given lack of permissions on any branch besides default) This change also adds use of cwd in python subprocess commands rather than using directory prefix in command string. Addresses b/280294707 *If you had to change anything in the [flutter/tests] repo, include a link to the migration guide as per the [breaking change policy].* [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style --- .../.github/workflows/third_party_scan.yml | 16 ++++- engine/src/flutter/ci/scan_flattened_deps.py | 59 +++++++++---------- 2 files changed, 42 insertions(+), 33 deletions(-) diff --git a/engine/src/flutter/.github/workflows/third_party_scan.yml b/engine/src/flutter/.github/workflows/third_party_scan.yml index b1ab739807..cbaf2e2b4d 100644 --- a/engine/src/flutter/.github/workflows/third_party_scan.yml +++ b/engine/src/flutter/.github/workflows/third_party_scan.yml @@ -22,5 +22,19 @@ jobs: uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b with: python-version: '3.7.7' # install the python version needed - - name: "execute py script" + - name: "extract and flatten deps" run: python ci/deps_parser.py + - name: "scan deps for vulnerabilities" + run: python ci/scan_flattened_deps.py + # Upload the results as artifacts. + - name: "Upload artifact" + uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce + with: + name: SARIF file + path: osvReport.sarif + retention-days: 5 + # Upload the results to GitHub's code scanning dashboard. + - name: "Upload to security tab" + uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f + with: + sarif_file: osvReport.sarif diff --git a/engine/src/flutter/ci/scan_flattened_deps.py b/engine/src/flutter/ci/scan_flattened_deps.py index 67759b3d71..ca400f21db 100644 --- a/engine/src/flutter/ci/scan_flattened_deps.py +++ b/engine/src/flutter/ci/scan_flattened_deps.py @@ -33,10 +33,15 @@ failed_deps = [] # deps which fail to be cloned or git-merge based sarif_log = { '$schema': 'https://json.schemastore.org/sarif-2.1.0.json', 'version': - '2.1.0', 'runs': [{ - 'tool': {'driver': {'name': 'OSV Scan', 'rules': []}}, - 'results': [] - }] + '2.1.0', + 'runs': [{ + 'tool': { + 'driver': { + 'name': 'OSV Scan', 'informationUri': 'https://osv.dev/', + 'semanticVersion': '1.0.0', 'rules': [] + } + }, 'results': [] + }] } @@ -49,9 +54,7 @@ def sarif_result(): 'ruleId': 'N/A', 'message': {'text': 'OSV Scan Finding'}, 'locations': [{ 'physicalLocation': { - 'artifactLocation': { - 'uri': 'No location associated with this finding' - }, + 'artifactLocation': {'uri': 'DEPS'}, 'region': {'startLine': 1, 'startColumn': 1, 'endColumn': 1} } }] @@ -184,9 +187,8 @@ def get_common_ancestor_commit(dep, deps_list): upstream = deps_list.get(UPSTREAM_PREFIX + dep_name) temp_dep_dir = DEP_CLONE_DIR + '/' + dep_name # clone dependency from mirror - subprocess.check_output([ - 'git', 'clone', '--quiet', '--', dep[0], temp_dep_dir - ]) + subprocess.check_output(['git', 'clone', '--quiet', '--', dep[0], dep_name], + cwd=DEP_CLONE_DIR) # create branch that will track the upstream dep print( @@ -194,36 +196,30 @@ def get_common_ancestor_commit(dep, deps_list): upstream=upstream ) ) - subprocess.check_output([ - 'git', '--git-dir', temp_dep_dir + '/.git', 'remote', 'add', 'upstream', - upstream - ]) - subprocess.check_output([ - 'git', '--git-dir', temp_dep_dir + '/.git', 'fetch', '--quiet', - 'upstream' - ]) + subprocess.check_output(['git', 'remote', 'add', 'upstream', upstream], + cwd=temp_dep_dir) + subprocess.check_output(['git', 'fetch', '--quiet', 'upstream'], + cwd=temp_dep_dir) # get name of the default branch for upstream (e.g. main/master/etc.) default_branch = subprocess.check_output( - 'git --git-dir ' + temp_dep_dir + '/.git remote show upstream ' + - "| sed -n \'/HEAD branch/s/.*: //p\'", + 'git remote show upstream ' + "| sed -n \'/HEAD branch/s/.*: //p\'", + cwd=temp_dep_dir, shell=True ) default_branch = byte_str_decode(default_branch) default_branch = default_branch.strip() - print( - 'default_branch found: {default_branch}'.format( - default_branch=default_branch - ) - ) + # make upstream branch track the upstream dep subprocess.check_output([ - 'git', '--git-dir', temp_dep_dir + '/.git', 'checkout', '-b', - 'upstream', '--track', 'upstream/' + default_branch - ]) + 'git', 'checkout', '--force', '-b', 'upstream', '--track', + 'upstream/' + default_branch + ], + cwd=temp_dep_dir) # get the most recent commit from default branch of upstream commit = subprocess.check_output( - 'git --git-dir ' + temp_dep_dir + '/.git for-each-ref ' + + 'git for-each-ref ' + "--format=\'%(objectname:short)\' refs/heads/upstream", + cwd=temp_dep_dir, shell=True ) commit = byte_str_decode(commit) @@ -231,9 +227,8 @@ def get_common_ancestor_commit(dep, deps_list): # perform merge-base on most recent default branch commit and pinned mirror commit ancestor_commit = subprocess.check_output( - 'git --git-dir {temp_dep_dir}/.git merge-base {commit} {depUrl}'.format( - temp_dep_dir=temp_dep_dir, commit=commit, depUrl=dep[1] - ), + 'git merge-base {commit} {depUrl}'.format(commit=commit, depUrl=dep[1]), + cwd=temp_dep_dir, shell=True ) ancestor_commit = byte_str_decode(ancestor_commit)