Re-Enable Vulnerability 3p Scanning Workflow (#42049)

sealesj · web-flow · commit 47fd496c6f8d · 2023-05-17T16:22:58.000Z
After migrating to standalone yaml (rather than included as a part of the scorecards yaml), the vuln scanning workflow needs to be re-enabled with sarif results uploading to the dashboard under the security tab. A successful test run of this workflow can be seen at https://github.com/flutter/engine/actions/runs/4982210161 (in linked run, fails to upload SARIF file given lack of permissions on any branch besides default) This change also adds use of cwd in python subprocess commands rather than using directory prefix in command string. Addresses b/280294707 *If you had to change anything in the [flutter/tests] repo, include a link to the migration guide as per the [breaking change policy].* [C++, Objective-C, Java style guides]: https://github.com/flutter/engine/blob/main/CONTRIBUTING.md#style
diff --git a/.github/workflows/third_party_scan.yml b/.github/workflows/third_party_scan.yml
@@ -22,5 +22,19 @@ jobs:
         uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: '3.7.7' # install the python version needed
-      - name: "execute py script"
+      - name: "extract and flatten deps"
         run: python ci/deps_parser.py
+      - name: "scan deps for vulnerabilities"
+        run: python ci/scan_flattened_deps.py
+      # Upload the results as artifacts.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+        with:
+          name: SARIF file
+          path: osvReport.sarif
+          retention-days: 5
+      # Upload the results to GitHub's code scanning dashboard.
+      - name: "Upload to security tab"
+        uses: github/codeql-action/upload-sarif@29b1f65c5e92e24fe6b6647da1eaabe529cec70f
+        with:
+          sarif_file: osvReport.sarif
diff --git a/ci/scan_flattened_deps.py b/ci/scan_flattened_deps.py
@@ -33,10 +33,15 @@
 sarif_log = {
     '$schema':
         'https://json.schemastore.org/sarif-2.1.0.json', 'version':
-            '2.1.0', 'runs': [{
-                'tool': {'driver': {'name': 'OSV Scan', 'rules': []}},
-                'results': []
-            }]
+            '2.1.0',
+    'runs': [{
+        'tool': {
+            'driver': {
+                'name': 'OSV Scan', 'informationUri': 'https://osv.dev/',
+                'semanticVersion': '1.0.0', 'rules': []
+            }
+        }, 'results': []
+    }]
 }
 
 
@@ -49,9 +54,7 @@ def sarif_result():
       'ruleId':
           'N/A', 'message': {'text': 'OSV Scan Finding'}, 'locations': [{
               'physicalLocation': {
-                  'artifactLocation': {
-                      'uri': 'No location associated with this finding'
-                  },
+                  'artifactLocation': {'uri': 'DEPS'},
                   'region': {'startLine': 1, 'startColumn': 1, 'endColumn': 1}
               }
           }]
@@ -184,56 +187,48 @@ def get_common_ancestor_commit(dep, deps_list):
     upstream = deps_list.get(UPSTREAM_PREFIX + dep_name)
     temp_dep_dir = DEP_CLONE_DIR + '/' + dep_name
     # clone dependency from mirror
-    subprocess.check_output([
-        'git', 'clone', '--quiet', '--', dep[0], temp_dep_dir
-    ])
+    subprocess.check_output(['git', 'clone', '--quiet', '--', dep[0], dep_name],
+                            cwd=DEP_CLONE_DIR)
 
     # create branch that will track the upstream dep
     print(
         'attempting to add upstream remote from: {upstream}'.format(
             upstream=upstream
         )
     )
-    subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'remote', 'add', 'upstream',
-        upstream
-    ])
-    subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'fetch', '--quiet',
-        'upstream'
-    ])
+    subprocess.check_output(['git', 'remote', 'add', 'upstream', upstream],
+                            cwd=temp_dep_dir)
+    subprocess.check_output(['git', 'fetch', '--quiet', 'upstream'],
+                            cwd=temp_dep_dir)
     # get name of the default branch for upstream (e.g. main/master/etc.)
     default_branch = subprocess.check_output(
-        'git --git-dir ' + temp_dep_dir + '/.git remote show upstream ' +
-        "| sed -n \'/HEAD branch/s/.*: //p\'",
+        'git remote show upstream ' + "| sed -n \'/HEAD branch/s/.*: //p\'",
+        cwd=temp_dep_dir,
         shell=True
     )
     default_branch = byte_str_decode(default_branch)
     default_branch = default_branch.strip()
-    print(
-        'default_branch found: {default_branch}'.format(
-            default_branch=default_branch
-        )
-    )
+
     # make upstream branch track the upstream dep
     subprocess.check_output([
-        'git', '--git-dir', temp_dep_dir + '/.git', 'checkout', '-b',
-        'upstream', '--track', 'upstream/' + default_branch
-    ])
+        'git', 'checkout', '--force', '-b', 'upstream', '--track',
+        'upstream/' + default_branch
+    ],
+                            cwd=temp_dep_dir)
     # get the most recent commit from default branch of upstream
     commit = subprocess.check_output(
-        'git --git-dir ' + temp_dep_dir + '/.git for-each-ref ' +
+        'git for-each-ref ' +
         "--format=\'%(objectname:short)\' refs/heads/upstream",
+        cwd=temp_dep_dir,
         shell=True
     )
     commit = byte_str_decode(commit)
     commit = commit.strip()
 
     # perform merge-base on most recent default branch commit and pinned mirror commit
     ancestor_commit = subprocess.check_output(
-        'git --git-dir {temp_dep_dir}/.git merge-base {commit} {depUrl}'.format(
-            temp_dep_dir=temp_dep_dir, commit=commit, depUrl=dep[1]
-        ),
+        'git merge-base {commit} {depUrl}'.format(commit=commit, depUrl=dep[1]),
+        cwd=temp_dep_dir,
         shell=True
     )
     ancestor_commit = byte_str_decode(ancestor_commit)
