This allows client code to check if a license is in a given allowlist
e.g. 'WITH_PERMISSION_ONLY' without exporting the lists. This is done
because we now process licenses (e.g. .lower()) when checking against
the lists.
Also fix a type annotation.
Change-Id: I7c52dd19493f72ba3fb927f1654ee1affde320dd
Bug: 452151523, 460076179
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7149079
Reviewed-by: Anne Redulla <aredulla@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
This CL re-epxorts normalized license list consts temporarily so we
unbreak downstream clients relying on their import names.
Future CL will migrate downstream clients to use the exported functions
(which handles normalization correctly), then remove this temporary
export.
Bug: 452151523
Change-Id: I05a96fb35c3decda77890808d8f78ae867f47b09
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7148918
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Jordan Brown <rop@google.com>
New entries:
* Android-SDK: clank/third_party/google3/committed/third_party_notices/android_sdk_platforms/LICENSE
* Artistic-1.0-Perl: third_party/perl/licenses/License.rtf
* GUST-Font-License: ios_internal/google_internal/third_party/iosmath/LICENSE
* Public-Domain-Sigslot: third_party/rtc_base/third_party/sigslot/LICENSE
These are based on some of the issues in ios/clank that we haven't filed
bugs for yet.
Also moving these to their correct spot since they are not SPDX:
* "Public-Domain-Gutenberg"
* "Public-Domain-SpanDSP"
Change-Id: I67789fadd33d14da7aa81e7013825cb6b458847f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7014770
Reviewed-by: Rachael Newitt <renewitt@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
There are many tests checking that a certain number of warnings/errors
are shown. This change aims to make this cleaner by adding a helper to
enable more explicit testing, showing what kind of errors/warnings are
expected.
Change-Id: Ib852f889e9c9496b54e87790d0fceeb525d224d8
Bug: chromium:450416505
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7024093
Commit-Queue: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Anne Redulla <aredulla@google.com>
Clank and ios_internal, as well as some chromium/src deps have this
prefixed in their license name as a result of using the raw value from
the license classifier.
In cases where a LicenseRef name collides with a known SPDX license, we
would expect them to have the same content. If they have additional
caveats, we expect the name to be unique.
Bug: 450137724
Change-Id: Ifd0419f719e70a5f1410fb83ea0c1fffabc634e1
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/7014551
Commit-Queue: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
This change introduces a `ValidationWarning` when a dependency lacks
sufficient metadata for vulnerability scanning. The warning asks
developers to provide one of the following combinations:
- 'CPEPrefix' with a version.
- A git clonable 'URL' and a 'Revision'.
- A git clonable 'URL' and a 'Version' matching the git tag.
- A package manager 'URL' and a 'Version'.
To reduce noise, this initial change is limited to dependencies that
meet the following criteria:
* Shipped; and
* Security Critical; and
* Do not provide 'Update Mechanism'
It is expected to affect about a dozen dependencies.
This change also updates some tests to be more specific to their test
cases so they don't fail for unrelated changes (like this one).
Bug: 438384123
Bug: 448003595
Change-Id: Ib1c562230b530a183e882efb1b23238b0ce0587c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6999547
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
This improves our alignment of vuln scan sufficiency with the scanners
we are using, based on the data extracted from README.chromium files.
Other package managers are being covered based on their manifest files.
This change splits "sufficient:URL and Version" into:
* "sufficient:Git URL and Version"; and
* "sufficient:Package Manager URL and Version"
Bug: 438384047
Change-Id: Ia3262b93092cad40e60243158e437f65a04e1916
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6905113
Reviewed-by: Anne Redulla <aredulla@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
* Centralised CPE/Version checking to reuse logic.
* Basic check that a url contains git, googlesource, or 'bitbucket etc to indicate it's a clonable url which is required to count as sufficient.
This brings the category closely in alignment with AutoVM, removing 100
dependencies, all of which did not have vulnerability cover.
Bug:b/438384047
Change-Id: I7483f20a177670ad1d6571ffcc2545c0faddd892
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6904943
Commit-Queue: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Anne Redulla <aredulla@google.com>
This change introduces a new validation rule: if a `CPEPrefix` is
provided but does not contain a version component, the `Version` field
must be present in the metadata. A helper function
`has_version_component` is added to `cpe_prefix.py` to check for a
version within a CPE string. Tests are added to cover the new validation
logic and the `has_version_component` function.
Bug: 438383649
Change-Id: I69938959316051d31f7fec32c5293d2c4c1a8e2a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6898421
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jordan Brown <rop@google.com>
This change adds support for an "Internal" label in the "URL" custom
metadata field. When this label is used, the dependency will be not be
required to provide sufficient metadata for vulnerability coverage.
Change-Id: I747d53934b5ebe3cf4a17fc2aab2de6a9ac2c1dd
Bug: 429937921
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6706140
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
Ideally we would track these separately but practically they fall into
the same category as the restricted license. It is on the OWNERS and the
reviewers to make sure that they comply with the terms of a Patent file
or any license. Currently we are just generating presubmit warnings that
are being ignored.
This will also enable future tooling that utilises this list for
auditing restricted licenses to surface Patent files.
Bug: 381146326
Change-Id: I0f091bef9649d3a9f7b03940c8634e56bee9541f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6290872
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
This adds a new way to report CVEs that includes an accompanying
description. It also adds a new validation check that ensures that the
CVE description is present for every entry listed in the 'Mitigated:'
field.
Bug: b/392026683
Change-Id: Ie55595970b49d705ac532f1f8c41ff47d959f56c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6211644
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Currently using a license in the WITH_PERMISSION_ONLY list will create a
warning. By making an ALL_LICENSE list including this list and also
allowing it when checking for open source compatible licenses, it will
no longer create warnings.
This will enable us to change the current warnings into errors.
Bug: b/388620886
Change-Id: I883a3d3c825f0f1903b62d0b93810218b1f42bb9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6188501
Commit-Queue: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Adding a special entry for dependencies using this license id.
The Android Software Development Kit License is a special case.
It can introduce licensing complexities due to the potentially extensive
transitive dependency chain. Developers should carefully review the
licenses of all dependencies.
Change-Id: I8626391ce04f921a9efa519a5305afce62a5f1c2
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6174215
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
This change introduces a new error for license fields that use any of
the following `["/", ";", " and ", " or "]`.
I chose to include the offending character/s in the error message
because I find it easier to parse error messages that tell me exactly
which character is the bad one. Similarly I've included conditions in
the reason to handle the plural cases correctly, generating either:
`License contains a bad delimiter character ...`, or
`License contains bad delimiter characters ...`
I realise this means that any downstream rules looking to detect this
error will need to check for a common subset, e.g 'bad delimiter
character', however I think it's worth it for the improved user
experience of receiving the error.
I've also anticipated that most of these errors will be due to
situations where multiple licenses are offered, and included additional
text explaining that only the most permissive of the choices should be
included.
This will affect 9 dependencies and they need to choose between multiple licenses anyway so it's okay to generate an error and have partybug file bugs.
Bug: http://b/374850412
Change-Id: I6eb53a8a3bd541a1801dff133884b719dcdfe04d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6181848
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
Reciprocal licenses can only be used in open source projects.
This change updates the presubmit validation checks to accept an
optional flag `allow_reciprocal_licenses`. When True, the allowlist is
extended to include reciprocal licenses.
Bug: 385020146
Change-Id: I0374658207bc87ffd74e033762ee4973c6e83b3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6107863
Reviewed-by: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
This is a list of licenses classified as 'reciprocal'. Due to the requirements of licenses of this type we can only allow their use in open source projects. This change introduces the variable 'OPEN_SOURCE_SPDX_LICENSES' with an initial set of reciprocal licenses currently used in chromium.
Change-Id: I376a7623e3685d67edd63ceb3088ca68c9d2fb7e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6107860
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
