This improves our alignment of vuln scan sufficiency with the scanners
we are using, based on the data extracted from README.chromium files.
Other package managers are being covered based on their manifest files.
This change splits "sufficient:URL and Version" into:
* "sufficient:Git URL and Version"; and
* "sufficient:Package Manager URL and Version"
Bug: 438384047
Change-Id: Ia3262b93092cad40e60243158e437f65a04e1916
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6905113
Reviewed-by: Anne Redulla <aredulla@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
* Centralised CPE/Version checking to reuse logic.
* Basic check that a url contains git, googlesource, or 'bitbucket etc to indicate it's a clonable url which is required to count as sufficient.
This brings the category closely in alignment with AutoVM, removing 100
dependencies, all of which did not have vulnerability cover.
Bug:b/438384047
Change-Id: I7483f20a177670ad1d6571ffcc2545c0faddd892
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6904943
Commit-Queue: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Anne Redulla <aredulla@google.com>
This change introduces a new validation rule: if a `CPEPrefix` is
provided but does not contain a version component, the `Version` field
must be present in the metadata. A helper function
`has_version_component` is added to `cpe_prefix.py` to check for a
version within a CPE string. Tests are added to cover the new validation
logic and the `has_version_component` function.
Bug: 438383649
Change-Id: I69938959316051d31f7fec32c5293d2c4c1a8e2a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6898421
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jordan Brown <rop@google.com>
This change adds support for an "Internal" label in the "URL" custom
metadata field. When this label is used, the dependency will be not be
required to provide sufficient metadata for vulnerability coverage.
Change-Id: I747d53934b5ebe3cf4a17fc2aab2de6a9ac2c1dd
Bug: 429937921
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6706140
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
This property helps determine if the data available in metadata is sufficient to do vulnerability scanning.
Change-Id: I7cead6ca7eacf3184f6afa0a77b48fb2439f9fa9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6706867
Auto-Submit: Jordan Brown <rop@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
This is because the linux-presubmit ci job does not run with all
dependencies checked out. See bug for details.
Bug: 398970704
Change-Id: Ia562cc6de7e586f947ccc9d351e9fc5feafa9f22
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6300962
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
This adds a new way to report CVEs that includes an accompanying
description. It also adds a new validation check that ensures that the
CVE description is present for every entry listed in the 'Mitigated:'
field.
Bug: b/392026683
Change-Id: Ie55595970b49d705ac532f1f8c41ff47d959f56c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6211644
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This field stores a list of comma-separated CVE IDs that the dependency mitigates.
The field is validated to contain only valid CVE IDs.
Bug: b/392026683
Change-Id: I9578fc709086131695cfa7eee51e717c24440853
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6197756
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jordan Brown <rop@google.com>
Currently using a license in the WITH_PERMISSION_ONLY list will create a
warning. By making an ALL_LICENSE list including this list and also
allowing it when checking for open source compatible licenses, it will
no longer create warnings.
This will enable us to change the current warnings into errors.
Bug: b/388620886
Change-Id: I883a3d3c825f0f1903b62d0b93810218b1f42bb9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6188501
Commit-Queue: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
This change introduces a new error for license fields that use any of
the following `["/", ";", " and ", " or "]`.
I chose to include the offending character/s in the error message
because I find it easier to parse error messages that tell me exactly
which character is the bad one. Similarly I've included conditions in
the reason to handle the plural cases correctly, generating either:
`License contains a bad delimiter character ...`, or
`License contains bad delimiter characters ...`
I realise this means that any downstream rules looking to detect this
error will need to check for a common subset, e.g 'bad delimiter
character', however I think it's worth it for the improved user
experience of receiving the error.
I've also anticipated that most of these errors will be due to
situations where multiple licenses are offered, and included additional
text explaining that only the most permissive of the choices should be
included.
This will affect 9 dependencies and they need to choose between multiple licenses anyway so it's okay to generate an error and have partybug file bugs.
Bug: http://b/374850412
Change-Id: I6eb53a8a3bd541a1801dff133884b719dcdfe04d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6181848
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jordan Brown <rop@google.com>
Reciprocal licenses can only be used in open source projects.
This change updates the presubmit validation checks to accept an
optional flag `allow_reciprocal_licenses`. When True, the allowlist is
extended to include reciprocal licenses.
Bug: 385020146
Change-Id: I0374658207bc87ffd74e033762ee4973c6e83b3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6107863
Reviewed-by: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Change the delimiter for license field from allowing complex cases using "and", "or", and "/" to only allowing a single comma separated list of licenses that are in use.
When given a choice of licenses OWNERS should choose the most appropriate and list this one. In nearly all cases this should be 'whichever is the least restrictive'.
Corresponding change in documentation: https://crrev.com/c/6068628
Change-Id: Ic30dfacb9ba586137b9493cec878b636107a55f4
Bug: 311097536
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6055313
Reviewed-by: Jordan Brown <rop@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
This CL introduces a validation rule for "Revision: DEPS" syntax
so dependencies managed by DEPS and autorolled can use it to declare
their versioning metadata.
Bug: b/335761679
Change-Id: I0b4f99d281543f9295b122ac71036b06205a6168
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5904321
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Rachael Newitt <renewitt@google.com>
If Chromium is the canonical repository, the version of the dependency
is essentially Chromium.
Change-Id: Ifcb80dbeee0d36bf71234f8f48423e8f7aa9dcf0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5772151
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Adds support to report line numbers when validation fails.
Change-Id: Iba94c5b3582d7e51f15d266d188909d3a82b75cb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5740963
Reviewed-by: Jordan Brown <rop@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Anne Redulla <aredulla@google.com>
This permit downstream clients to retrieve the "source" text and do
their own formatting instead of relying on the format coded in
get_message().
Change-Id: Ia36cbd064ed0781bda76b09b064b97f6dc5e899e
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5686730
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Anne Redulla <aredulla@google.com>
This CL changes CPEPrefix field to return None for the validate field
accessor.
There's little reason to return a special "unknown" string in property
accessor (which is used for tooling automation).
We still allow specifying "unknown" in that field.
Bug: b/321154076
Change-Id: Ib4cbc017d6b6df179ccfb008bd5ec9477913764b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5465016
Reviewed-by: Anne Redulla <aredulla@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This CL adds a typed interface that exposes parsed metadata for
downstream consumption.
Conventionally:
- A validated field should be retrieved by the property of the same name
- A validated field returns "None" if said field is not provided, or is
clearly invalid (e.g. "Unknown" values)
- Raw values can still be retrieved with get_entries()
When using the properties accessor, fields are normalized and/or coerced to a suitable type (e.g. list of str, str of a particular format).
Bug: b/321154076
Change-Id: Ia56969a838e682a7b7eb1dc0781d48e1e38a2ff0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5446637
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This CL adds a "early terminate the field based on field value" parser
mechanism to end the field as soon as the field value provides an
unambiguous answer to the question we care about.
This is to prevent over-extraction over certain fields (specifically,
local modifications) which can either be a definitive answer (e.g. No
modification) or multi-line free-form texts (which may contain unknown
fields that we don't care about at this stage).
This mitigates over extraction of README.chromium files like:
```
Local Modifications:
None
How to Uprev:
Steps...
```
Where the old parser would extract "None\n\nHow to Uprev:\nSteps..."
This CL also refactors single line fields to use the same early
termination mechanism since single line field simply ends as soon as
the line is parsed.
Union[Something, None] is changed to Optional[Something] based on
styleguide.
Bug: b/324149233
Change-Id: I3fca80eaceb071263f8ae8730afda230fff0bbb0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5394917
Reviewed-by: Anne Redulla <aredulla@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This CL adds a "structured" concept to the parser. In a structured
field, the parser will proactively look for field-like patterns to
start a new field (even if they aren't known fields).
This mitigates the issue when an unknown field immediately
follows a multi-line text field, such as:
URL: https://example.com
UnknownField: abc
And URL field value parses to
"https://example.com<newline>UnknownField:abc".
Bug: b/324149233
Change-Id: I54807bd7b242fc14c679483453ade83f8fd20225
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5379679
Reviewed-by: Anne Redulla <aredulla@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This CL updates the License field validation so that the warning to use
the standard comma separator is only returned if processing the license
value resulted in multiple license types.
Bug: b:309712938
Change-Id: Ic9189b8dd76e60bc3d546dea41fdb36faae8dbb4
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5003558
Auto-Submit: Anne Redulla <aredulla@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
Reviewed-by: Dan Le Febvre <dlf@google.com>
Commit-Queue: Dan Le Febvre <dlf@google.com>
This CL expands on the date format validation for third party
metadata. Now, values that are recognized to be using a different format
from the preferred format of YYYY-MM-DD will only return a warning,
instead of an error.
Bug: b:285453019
Change-Id: I344dc863601b4e03e801cdfb3cc5912cfe13b762
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4961973
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
This CL changes what is considered valid versioning info. Instead of
both Date and Revision being required if Version was unknown, now only
one of Date or Revision has to be specified.
Bug: b:277147404
Change-Id: Iedb06e2d55f0cd0ef0a2931013a2a52b15befd75
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4852699
Reviewed-by: Gavin Mak <gavinmak@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Leave the recipes/ code at 2 space to match the rest of the recipes
project in other repos.
Reformatted using:
files=( $(
git ls-tree -r --name-only HEAD | \
grep -Ev -e '^(third_party|recipes)/' | \
grep '\.py$';
git grep -l '#!/usr/bin/env.*python' | grep -v '\.py$'
) )
parallel ./yapf -i -- "${files[@]}"
~/chromiumos/chromite/contrib/reflow_overlong_comments "${files[@]}"
The files that still had strings that were too long were manually
reformatted because they were easy and only a few issues.
autoninja.py
clang_format.py
download_from_google_storage.py
fix_encoding.py
gclient_utils.py
git_cache.py
git_common.py
git_map_branches.py
git_reparent_branch.py
gn.py
my_activity.py
owners_finder.py
presubmit_canned_checks.py
reclient_helper.py
reclientreport.py
roll_dep.py
rustfmt.py
siso.py
split_cl.py
subcommand.py
subprocess2.py
swift_format.py
upload_to_google_storage.py
These files still had lines (strings) that were too long, so the pylint
warnings were suppressed with a TODO.
auth.py
gclient.py
gclient_eval.py
gclient_paths.py
gclient_scm.py
gerrit_util.py
git_cl.py
presubmit_canned_checks.py
presubmit_support.py
scm.py
Change-Id: Ia6535c4f2c48d46b589ec1e791dde6c6b2ea858f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4836379
Commit-Queue: Josip Sokcevic <sokcevic@chromium.org>
Auto-Submit: Mike Frysinger <vapier@chromium.org>
Reviewed-by: Josip Sokcevic <sokcevic@chromium.org>
All files in metadata/ are new, so they should follow the PEP-8 style.
Change-Id: I5d8424536c3d7b703e6b8087e0e2d70c06a1549c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4834909
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Adds script metadata/scan.py which can be used to search for and
validate Chromium dependency metadata files, given a repository
root directory.
Bug: b:277147404
Change-Id: Ibde0eeb7babe0b1e3f9c7f887bece629d390974a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4823596
Commit-Queue: Anne Redulla <aredulla@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
This CL adds a new function `CheckChromiumDependencyMetadata` in
`presubmit_canned_checks.py`. It can be used to check that files satisfy
the format defined by `README.chromium.template`
(https://chromium.googlesource.com/chromium/src/+/main/third_party/README.chromium.template).
The code for metadata validation can be found in `//metadata`. Note that
all metadata validation issues will be returned as warnings only for
now, while the quality of metadata is being uplifted.
Bug: b:277147404
Change-Id: Iacf1b3a11219ab752549f6dc6e882c93c0fbe780
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4812578
Commit-Queue: Anne Redulla <aredulla@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Reviewed-by: Gavin Mak <gavinmak@google.com>
Reviewed-by: Bruce Dawson <brucedawson@chromium.org>
This is a reland of commit a1cfc693af
The original commit was reverted do to `ModuleNotFoundError`s. I believe this was due to not specifying `metadata` to be part of the `depot_tools` recipe bundle. I have updated `.gitattributes` for this, and also added `__init__.py` files.
I will put the changes to `presubmit_canned_checks.py` in a later CL, once I can confirm `metadata` is being bundled.
Original change's description:
> [ssci] Added CheckChromiumMetadataFiles in presubmit_canned_checks
>
> Bug: b:277147404
> Change-Id: I14a2f11b256bc85fdfe225443ef533c38463ca3e
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4796694
> Reviewed-by: Gavin Mak <gavinmak@google.com>
> Reviewed-by: Rachael Newitt <renewitt@google.com>
> Commit-Queue: Anne Redulla <aredulla@google.com>
Bug: b:277147404
Change-Id: Ibd9efd5970a5393c157ca8763f97064d7c167803
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4803385
Reviewed-by: Rachael Newitt <renewitt@google.com>
Reviewed-by: Gavin Mak <gavinmak@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
Jordan
Jiewei Qian
Andrew Grieve
Anne Redulla
Mike Frysinger