Vulnerability Scanning on Third Party Deps

.github/workflows/third_party_scan.yml

@@ -0,0 +1,56 @@
+name: Third party dependency scan
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+    branches: [ main ]
+    schedule:
+      - cron: "0 8 * * *" # runs daily at 08:00
+
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Third party dependency scan
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      actions: read
+      contents: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        with:
+          persist-credentials: false
+
+      - name: setup python
+        uses: actions/setup-python@98f2ad02fd48d057ee3b4d4f66525b231c3e52b6
+        with:
+          python-version: '3.7.7' # install the python version needed
+
+      - name: install dependency
+        run: pip install git+https://github.com/psf/requests.git@4d394574f5555a8ddcc38f707e0c9f57f55d9a3b
+
+      - name: execute py script
+        run: python ci/deps_parser.py 
+
+      - name: parse deps_parser output.txt
+        run: python ci/scan_flattened_deps.py 
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535
+        with:
+          name: SARIF file
+          path: osvReport.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@a3a6c128d771b6b9bdebb1c9d0583ebd2728a108
+        with:
+          sarif_file: osvReport.sarif

DEPS

@@ -97,6 +97,122 @@ vars = {
 
   # Setup Git hooks by default.
   "setup_githooks": True,
+
+  # Upstream URLs for third party dependencies, used in
+  # determining common ancestor commit for vulnerability scanning
+  # prefixed with 'upstream_' in order to be identified by parsing tool.
+  # The vulnerabiity database being used in this scan can be browsed
+  # using this UI https://osv.dev/list
+  # If a new dependency needs to be added, the upstream (non-mirrored)
+  # git URL for that dependency should be added to this list 
+  # with the key-value pair being:
+  # 'upstream_[dep name from last slash and before .git in URL]':'[git URL]'
+  # example: 
+  "upstream_abseil-cpp": "https://github.com/abseil/abseil-cpp.git",
+  "upstream_angle": "https://github.com/google/angle.git",
+  "upstream_archive": "https://github.com/brendan-duncan/archive.git",
+  "upstream_args": "https://github.com/dart-lang/args.git",
+  "upstream_async": "https://github.com/dart-lang/async.git",
+  "upstream_bazel_worker": "https://github.com/dart-lang/bazel_worker.git",
+  "upstream_benchmark": "https://github.com/google/benchmark.git",
+  "upstream_boolean_selector": "https://github.com/dart-lang/boolean_selector.git",
+  "upstream_boringssl_gen": "https://github.com/dart-lang/boringssl_gen.git",
+  "upstream_boringssl": "https://github.com/openssl/openssl.git",
+  "upstream_browser_launcher": "https://github.com/dart-lang/browser_launcher.git",
+  "upstream_buildroot": "https://github.com/flutter/buildroot.git",
+  "upstream_cli_util": "https://github.com/dart-lang/cli_util.git",
+  "upstream_clock": "https://github.com/dart-lang/clock.git",
+  "upstream_collection": "https://github.com/dart-lang/collection.git",
+  "upstream_colorama": "https://github.com/tartley/colorama.git",
+  "upstream_convert": "https://github.com/dart-lang/convert.git",
+  "upstream_crypto": "https://github.com/dart-lang/crypto.git",
+  "upstream_csslib": "https://github.com/dart-lang/csslib.git",
+  "upstream_dart_style": "https://github.com/dart-lang/dart_style.git",
+  "upstream_dartdoc": "https://github.com/dart-lang/dartdoc.git",
+  "upstream_equatable": "https://github.com/felangel/equatable.git",
+  "upstream_ffi": "https://github.com/dart-lang/ffi.git",
+  "upstream_file": "https://github.com/google/file.dart.git",
+  "upstream_fixnum": "https://github.com/dart-lang/fixnum.git",
+  "upstream_flatbuffers": "https://github.com/google/flatbuffers.git",
+  "upstream_fontconfig": "https://gitlab.freedesktop.org/fontconfig/fontconfig.git",
+  "upstream_freetype2": "https://gitlab.freedesktop.org/freetype/freetype.git",
+  "upstream_gcloud": "https://github.com/dart-lang/gcloud.git",
+  "upstream_glfw": "https://github.com/glfw/glfw.git",
+  "upstream_glob": "https://github.com/dart-lang/glob.git",
+  "upstream_googleapis": "https://github.com/google/googleapis.dart.git",
+  "upstream_googletest": "https://github.com/google/googletest.git",
+  "upstream_gtest-parallel": "https://github.com/google/gtest-parallel.git",
+  "upstream_harfbuzz": "https://github.com/harfbuzz/harfbuzz.git",
+  "upstream_html": "https://github.com/dart-lang/html.git",
+  "upstream_http_multi_server": "https://github.com/dart-lang/http_multi_server.git",
+  "upstream_http_parser": "https://github.com/dart-lang/http_parser.git",
+  "upstream_http": "https://github.com/dart-lang/http.git",
+  "upstream_icu": "https://github.com/unicode-org/icu.git",
+  "upstream_imgui": "https://github.com/ocornut/imgui.git",
+  "upstream_inja": "https://github.com/pantor/inja.git",
+  "upstream_json": "https://github.com/nlohmann/json.git",
+  "upstream_json_rpc_2": "https://github.com/dart-lang/json_rpc_2.git",
+  "upstream_libcxx": "https://github.com/llvm-mirror/libcxx.git",
+  "upstream_libcxxabi": "https://github.com/llvm-mirror/libcxxabi.git",
+  "upstream_libexpat": "https://github.com/libexpat/libexpat.git",
+  "upstream_libjpeg-turbo": "https://github.com/libjpeg-turbo/libjpeg-turbo.git",
+  "upstream_libpng": "https://github.com/glennrp/libpng.git",
+  "upstream_libtess2": "https://github.com/memononen/libtess2.git",
+  "upstream_libwebp": "https://chromium.googlesource.com/webm/libwebp.git",
+  "upstream_libxml": "https://gitlab.gnome.org/GNOME/libxml2.git",
+  "upstream_linter": "https://github.com/dart-lang/linter.git",
+  "upstream_logging": "https://github.com/dart-lang/logging.git",
+  "upstream_markdown": "https://github.com/dart-lang/markdown.git",
+  "upstream_matcher": "https://github.com/dart-lang/matcher.git",
+  "upstream_mime": "https://github.com/dart-lang/mime.git",
+  "upstream_mockito": "https://github.com/dart-lang/mockito.git",
+  "upstream_oauth2": "https://github.com/dart-lang/oauth2.git",
+  "upstream_ocmock": "https://github.com/erikdoe/ocmock.git",
+  "upstream_package_config": "https://github.com/dart-lang/package_config.git",
+  "upstream_packages": "https://github.com/flutter/packages.git",
+  "upstream_path": "https://github.com/dart-lang/path.git",
+  "upstream_platform": "https://github.com/google/platform.dart.git",
+  "upstream_pool": "https://github.com/dart-lang/pool.git",
+  "upstream_process_runner": "https://github.com/google/process_runner.git",
+  "upstream_process": "https://github.com/google/process.dart.git",
+  "upstream_protobuf": "https://github.com/google/protobuf.dart.git",
+  "upstream_pub_semver": "https://github.com/dart-lang/pub_semver.git",
+  "upstream_pub": "https://github.com/dart-lang/pub.git",
+  "upstream_pyyaml": "https://github.com/yaml/pyyaml.git",
+  "upstream_quiver-dart": "https://github.com/google/quiver-dart.git",
+  "upstream_rapidjson": "https://github.com/Tencent/rapidjson.git",
+  "upstream_root_certificates": "https://github.com/dart-lang/root_certificates.git",
+  "upstream_sdk": "https://github.com/dart-lang/sdk.git",
+  "upstream_shaderc": "https://github.com/google/shaderc.git",
+  "upstream_shelf": "https://github.com/dart-lang/shelf.git",
+  "upstream_skia": "https://skia.googlesource.com/skia.git",
+  "upstream_source_map_stack_trace": "https://github.com/dart-lang/source_map_stack_trace.git",
+  "upstream_source_maps": "https://github.com/dart-lang/source_maps.git",
+  "upstream_source_span": "https://github.com/dart-lang/source_span.git",
+  "upstream_sqlite": "https://github.com/sqlite/sqlite.git",
+  "upstream_sse": "https://github.com/dart-lang/sse.git",
+  "upstream_stack_trace": "https://github.com/dart-lang/stack_trace.git",
+  "upstream_stream_channel": "https://github.com/dart-lang/stream_channel.git",
+  "upstream_string_scanner": "https://github.com/dart-lang/string_scanner.git",
+  "upstream_SwiftShader": "https://swiftshader.googlesource.com/SwiftShader.git",
+  "upstream_term_glyph": "https://github.com/dart-lang/term_glyph.git",
+  "upstream_test_reflective_loader": "https://github.com/dart-lang/test_reflective_loader.git",
+  "upstream_test": "https://github.com/dart-lang/test.git",
+  "upstream_tinygltf": "https://github.com/syoyo/tinygltf.git",
+  "upstream_typed_data": "https://github.com/dart-lang/typed_data.git",
+  "upstream_usage": "https://github.com/dart-lang/usage.git",
+  "upstream_vector_math": "https://github.com/google/vector_math.dart.git",
+  "upstream_Vulkan-Headers": "https://github.com/KhronosGroup/Vulkan-Headers.git",
+  "upstream_VulkanMemoryAllocator": "https://github.com/GPUOpen-LibrariesAndSDKs/VulkanMemoryAllocator.git",
+  "upstream_watcher": "https://github.com/dart-lang/watcher.git",
+  "upstream_web_socket_channel": "https://github.com/dart-lang/web_socket_channel.git",
+  "upstream_webdev": "https://github.com/dart-lang/webdev.git",
+  "upstream_webkit_inspection_protocol": "https://github.com/google/webkit_inspection_protocol.dart.git",
+  "upstream_wuffs-mirror-release-c": "https://github.com/google/wuffs-mirror-release-c.git",
+  "upstream_yaml_edit": "https://github.com/dart-lang/yaml_edit.git",
+  "upstream_yaml": "https://github.com/dart-lang/yaml.git",
+  "upstream_yapf": "https://github.com/google/yapf.git",
+  "upstream_zlib": "https://github.com/madler/zlib.git",
 }
 
 gclient_gn_args_file = 'src/third_party/dart/build/config/gclient_args.gni'

ci/deps_parser.py

@@ -3,7 +3,7 @@
 # Copyright 2013 The Flutter Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
-
+#
 # Usage: deps_parser.py --deps <DEPS file> --output <flattened deps>
 #
 # This script parses the DEPS file, extracts the fully qualified dependencies
@@ -12,11 +12,16 @@
 
 import argparse
 import os
+import re
 import sys
 
 SCRIPT_DIR = os.path.dirname(sys.argv[0])
 CHECKOUT_ROOT = os.path.realpath(os.path.join(SCRIPT_DIR, '..'))
 
+CHROMIUM_README_FILE = 'third_party/accessibility/README.md'
+CHROMIUM_README_COMMIT_LINE = 4  # the fifth line will always contain the commit hash
+CHROMIUM = 'https://chromium.googlesource.com/chromium/src'
+
 
 # Used in parsing the DEPS file.
 class VarImpl:
@@ -55,15 +60,30 @@ def parse_deps_file(deps_file):
   # Extract the deps and filter.
   deps = local_scope.get('deps', {})
   filtered_deps = []
-  for val in deps.values():
+  for _, dep in deps.items():
     # We currently do not support packages or cipd which are represented
     # as dictionaries.
-    if isinstance(val, str):
-      filtered_deps.append(val)
-
+    if isinstance(dep, str):
+      filtered_deps.append(dep)
   return filtered_deps
 
 
+def parse_readme(deps):
+  """
+  Opens the Flutter Accessibility Library README and uses the commit hash
+  found in the README to check for viulnerabilities.
+  The commit hash in this README will always be in the same format
+  """
+  file_path = os.path.join(CHECKOUT_ROOT, CHROMIUM_README_FILE)
+  with open(file_path) as file:
+    # read the content of the file opened
+    content = file.readlines()
+    commit_line = content[CHROMIUM_README_COMMIT_LINE]
+    commit = re.search(r'(?<=\[).*(?=\])', commit_line)
+    deps.append(CHROMIUM + '@' + commit.group())
+    return deps
+
+
 def write_manifest(deps, manifest_file):
   print('\n'.join(sorted(deps)))
   with open(manifest_file, 'w') as manifest:
@@ -97,6 +117,7 @@ def parse_args(args):
 def main(argv):
   args = parse_args(argv)
   deps = parse_deps_file(args.deps)
+  deps = parse_readme(deps)
   write_manifest(deps, args.output)
   return 0
 

ci/deps_parser_tests.py

@@ -0,0 +1,88 @@
+#!/usr/bin/env python3
+#
+# Copyright 2013 The Flutter Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+import os
+import sys
+import unittest
+from deps_parser import VarImpl
+
+SCRIPT_DIR = os.path.dirname(sys.argv[0])
+CHECKOUT_ROOT = os.path.realpath(os.path.join(SCRIPT_DIR, '..'))
+DEPS = os.path.join(CHECKOUT_ROOT, 'DEPS')
+UPSTREAM_PREFIX = 'upstream_'
+
+
+class TestDepsParserMethods(unittest.TestCase):
+  # Extract both mirrored dep names and URLs &
+  # upstream names and URLs from DEPs file.
+  def setUp(self):  # lower-camel-case for the python unittest framework
+    # Read the content.
+    with open(DEPS, 'r') as file:
+      deps_content = file.read()
+
+    local_scope_mirror = {}
+    var = VarImpl(local_scope_mirror)
+    global_scope_mirror = {
+        'Var': var.lookup,
+        'deps_os': {},
+    }
+
+    # Eval the content.
+    exec(deps_content, global_scope_mirror, local_scope_mirror)
+
+    # Extract the upstream URLs
+    # vars contains more than just upstream URLs
+    # however the upstream URLs are prefixed with 'upstream_'
+    upstream = local_scope_mirror.get('vars')
+    self.upstream_urls = upstream
+
+    # Extract the deps and filter.
+    deps = local_scope_mirror.get('deps', {})
+    filtered_deps = []
+    for _, dep in deps.items():
+      # We currently do not support packages or cipd which are represented
+      # as dictionaries.
+      if isinstance(dep, str):
+        filtered_deps.append(dep)
+    self.deps = filtered_deps
+
+  def test_each_dep_has_upstream_url(self):
+    # For each DEP in the deps file, check for an associated upstream URL in deps file.
+    for dep in self.deps:
+      dep_repo = dep.split('@')[0]
+      dep_name = dep_repo.split('/')[-1].split('.')[0]
+      # vulkan-deps and khronos do not have one upstream URL
+      # all other deps should have an associated upstream URL for vuln scanning purposes
+      if dep_name not in ('vulkan-deps', 'khronos'):
+        # Add the prefix on the dep name when searching for the upstream entry.
+        self.assertTrue(
+            UPSTREAM_PREFIX + dep_name in self.upstream_urls,
+            msg=dep_name + ' not found in upstream URL list. ' +
+            'Each dep in the "deps" section of DEPS file must have associated upstream URL'
+        )
+
+  def test_each_upstream_url_has_dep(self):
+    # Parse DEPS into dependency names.
+    deps_names = []
+    for dep in self.deps:
+      dep_repo = dep.split('@')[0]
+      dep_name = dep_repo.split('/')[-1].split('.')[0]
+      deps_names.append(dep_name)
+
+    # For each upstream URL dep, check it exists as in DEPS.
+    for upsream_dep in self.upstream_urls:
+      # Only test on upstream deps in vars section which start with the upstream prefix
+      if upsream_dep.startswith(UPSTREAM_PREFIX):
+        # Strip the prefix to check that it has a corresponding dependency in the DEPS file
+        self.assertTrue(
+            upsream_dep[len(UPSTREAM_PREFIX):] in deps_names,
+            msg=upsream_dep + ' from upstream list not found in DEPS. ' +
+            'Each upstream URL in DEPS file must have an associated dep in the "deps" section'
+        )
+
+
+if __name__ == '__main__':
+  unittest.main()