This change introduces a `ValidationWarning` when a dependency lacks
sufficient metadata for vulnerability scanning. The warning asks
developers to provide one of the following combinations:
- 'CPEPrefix' with a version.
- A git clonable 'URL' and a 'Revision'.
- A git clonable 'URL' and a 'Version' matching the git tag.
- A package manager 'URL' and a 'Version'.
To reduce noise, this initial change is limited to dependencies that
meet the following criteria:
* Shipped; and
* Security Critical; and
* Do not provide 'Update Mechanism'
It is expected to affect about a dozen dependencies.
This change also updates some tests to be more specific to their test
cases so they don't fail for unrelated changes (like this one).
Bug: 438384123
Bug: 448003595
Change-Id: Ib1c562230b530a183e882efb1b23238b0ce0587c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6999547
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
This improves our alignment of vuln scan sufficiency with the scanners
we are using, based on the data extracted from README.chromium files.
Other package managers are being covered based on their manifest files.
This change splits "sufficient:URL and Version" into:
* "sufficient:Git URL and Version"; and
* "sufficient:Package Manager URL and Version"
Bug: 438384047
Change-Id: Ia3262b93092cad40e60243158e437f65a04e1916
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6905113
Reviewed-by: Anne Redulla <aredulla@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
* Centralised CPE/Version checking to reuse logic.
* Basic check that a url contains git, googlesource, or 'bitbucket etc to indicate it's a clonable url which is required to count as sufficient.
This brings the category closely in alignment with AutoVM, removing 100
dependencies, all of which did not have vulnerability cover.
Bug:b/438384047
Change-Id: I7483f20a177670ad1d6571ffcc2545c0faddd892
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6904943
Commit-Queue: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Anne Redulla <aredulla@google.com>
This change introduces a new validation rule: if a `CPEPrefix` is
provided but does not contain a version component, the `Version` field
must be present in the metadata. A helper function
`has_version_component` is added to `cpe_prefix.py` to check for a
version within a CPE string. Tests are added to cover the new validation
logic and the `has_version_component` function.
Bug: 438383649
Change-Id: I69938959316051d31f7fec32c5293d2c4c1a8e2a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6898421
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jordan Brown <rop@google.com>
This adds a new way to report CVEs that includes an accompanying
description. It also adds a new validation check that ensures that the
CVE description is present for every entry listed in the 'Mitigated:'
field.
Bug: b/392026683
Change-Id: Ie55595970b49d705ac532f1f8c41ff47d959f56c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6211644
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reciprocal licenses can only be used in open source projects.
This change updates the presubmit validation checks to accept an
optional flag `allow_reciprocal_licenses`. When True, the allowlist is
extended to include reciprocal licenses.
Bug: 385020146
Change-Id: I0374658207bc87ffd74e033762ee4973c6e83b3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6107863
Reviewed-by: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
This CL adds a typed interface that exposes parsed metadata for
downstream consumption.
Conventionally:
- A validated field should be retrieved by the property of the same name
- A validated field returns "None" if said field is not provided, or is
clearly invalid (e.g. "Unknown" values)
- Raw values can still be retrieved with get_entries()
When using the properties accessor, fields are normalized and/or coerced to a suitable type (e.g. list of str, str of a particular format).
Bug: b/321154076
Change-Id: Ia56969a838e682a7b7eb1dc0781d48e1e38a2ff0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5446637
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
