This adds a new way to report CVEs that includes an accompanying
description. It also adds a new validation check that ensures that the
CVE description is present for every entry listed in the 'Mitigated:'
field.
Bug: b/392026683
Change-Id: Ie55595970b49d705ac532f1f8c41ff47d959f56c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6211644
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This field stores a list of comma-separated CVE IDs that the dependency mitigates.
The field is validated to contain only valid CVE IDs.
Bug: b/392026683
Change-Id: I9578fc709086131695cfa7eee51e717c24440853
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6197756
Reviewed-by: Jiewei Qian <qjw@chromium.org>
Commit-Queue: Jordan Brown <rop@google.com>
Reciprocal licenses can only be used in open source projects.
This change updates the presubmit validation checks to accept an
optional flag `allow_reciprocal_licenses`. When True, the allowlist is
extended to include reciprocal licenses.
Bug: 385020146
Change-Id: I0374658207bc87ffd74e033762ee4973c6e83b3b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/6107863
Reviewed-by: Jordan Brown <rop@google.com>
Auto-Submit: Jordan Brown <rop@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
This CL introduces a validation rule for "Revision: DEPS" syntax
so dependencies managed by DEPS and autorolled can use it to declare
their versioning metadata.
Bug: b/335761679
Change-Id: I0b4f99d281543f9295b122ac71036b06205a6168
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5904321
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Rachael Newitt <renewitt@google.com>
If Chromium is the canonical repository, the version of the dependency
is essentially Chromium.
Change-Id: Ifcb80dbeee0d36bf71234f8f48423e8f7aa9dcf0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5772151
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Adds support to report line numbers when validation fails.
Change-Id: Iba94c5b3582d7e51f15d266d188909d3a82b75cb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5740963
Reviewed-by: Jordan Brown <rop@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
Reviewed-by: Anne Redulla <aredulla@google.com>
This CL adds a typed interface that exposes parsed metadata for
downstream consumption.
Conventionally:
- A validated field should be retrieved by the property of the same name
- A validated field returns "None" if said field is not provided, or is
clearly invalid (e.g. "Unknown" values)
- Raw values can still be retrieved with get_entries()
When using the properties accessor, fields are normalized and/or coerced to a suitable type (e.g. list of str, str of a particular format).
Bug: b/321154076
Change-Id: Ia56969a838e682a7b7eb1dc0781d48e1e38a2ff0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/5446637
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Jiewei Qian <qjw@chromium.org>
This CL changes what is considered valid versioning info. Instead of
both Date and Revision being required if Version was unknown, now only
one of Date or Revision has to be specified.
Bug: b:277147404
Change-Id: Iedb06e2d55f0cd0ef0a2931013a2a52b15befd75
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4852699
Reviewed-by: Gavin Mak <gavinmak@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
All files in metadata/ are new, so they should follow the PEP-8 style.
Change-Id: I5d8424536c3d7b703e6b8087e0e2d70c06a1549c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4834909
Reviewed-by: Rachael Newitt <renewitt@google.com>
Commit-Queue: Rachael Newitt <renewitt@google.com>
Adds script metadata/scan.py which can be used to search for and
validate Chromium dependency metadata files, given a repository
root directory.
Bug: b:277147404
Change-Id: Ibde0eeb7babe0b1e3f9c7f887bece629d390974a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4823596
Commit-Queue: Anne Redulla <aredulla@google.com>
Reviewed-by: Rachael Newitt <renewitt@google.com>
This is a reland of commit a1cfc693af
The original commit was reverted do to `ModuleNotFoundError`s. I believe this was due to not specifying `metadata` to be part of the `depot_tools` recipe bundle. I have updated `.gitattributes` for this, and also added `__init__.py` files.
I will put the changes to `presubmit_canned_checks.py` in a later CL, once I can confirm `metadata` is being bundled.
Original change's description:
> [ssci] Added CheckChromiumMetadataFiles in presubmit_canned_checks
>
> Bug: b:277147404
> Change-Id: I14a2f11b256bc85fdfe225443ef533c38463ca3e
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4796694
> Reviewed-by: Gavin Mak <gavinmak@google.com>
> Reviewed-by: Rachael Newitt <renewitt@google.com>
> Commit-Queue: Anne Redulla <aredulla@google.com>
Bug: b:277147404
Change-Id: Ibd9efd5970a5393c157ca8763f97064d7c167803
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/tools/depot_tools/+/4803385
Reviewed-by: Rachael Newitt <renewitt@google.com>
Reviewed-by: Gavin Mak <gavinmak@google.com>
Commit-Queue: Anne Redulla <aredulla@google.com>
Jordan Brown
Jiewei Qian
Anne Redulla