commit	acefe5f11a43bf1c85164c1af7c10571de6fa2d0	[log] [tgz]
author	sealesj <103135467+sealesj@users.noreply.github.com>	Wed Nov 23 15:07:43 2022 -0500
committer	GitHub <noreply@github.com>	Wed Nov 23 15:07:43 2022 -0500
tree	0248d9d65f53a5a95190f5d9b1d53534d68c3c01
parent	399fca706b516ec22899f9a13d1f2e634281ec1d [diff]

Vulnerability Scanning on Third Party Deps (#36506)

* initial flatten deps scan

* move 3rd party scan to separate action

* allow fork to run

* install requests

* use packages

* pip install

* rename

* conditional vuln report

* trailing whitespace

* trailing whitespace

* detailed print

* add testing file

* add upload test sarif

* results sarif

* move sarif

* upload modified sarif

* test flow

* test with results.sarif

* formatting

* test naming convention

* description with text in artifactLocation

* don't use locations

* use template sarif

* just use template

* add one field mod

* add another field mod

* use actual osvReport

* add field

* add field

* test

* no information uri

* no information uri

* add name

* template NA data for results

* back to minimal template

* dynamic rules

* template update

* no results

* only use template

* test

* new test

* new test

* add back locations

* descriptive fields

* test

* use package name

* variable commit hash

* add chromium accessibility readme support

* use batch query test

* clean up

* use variables for sarif template

* initial automating ancestor commit

* allow for workflow on testing

* install gitpython in workflow

* wrap in try

* expand try

* check commit is not none

* quiet clone

* fix commit newline

* proper print for failed deps

* remove gitpython

* remove import

* fix origin source

* remove .dart from dep names

* update dep

* typo

* update

* clone into controlled name repo now

* fix github upstream clone url

* test CVE finding

* use templated rule and result

* typo

* remove test CVE

* add link straight to OSV DB

* comments

* use os mkdir

* check time of pinned commit

* quiet git

* print osv api query results if vulns found

* move upstream mapping into DEPS file

* add testing for DEPS file

* add khronos exception

* add basic ancestor commit test

* no vulns message

* do not produce empty sarif

* add yaml

* remove unused python dep

* no change?

* no more print, causing recipe issues

* string test

* string test

* no more fstrings

* convert to .format

* syntax

* remove unused dep

* test

* switch test script

* no encoding

* add back test

* typo

* remove scan flat deps tests again

* update

* fix tests

* typo

* newline

* use checkout dir

* prefix

* update to use prefix

* lint

* runhook attempt

* lint

* lint

* lint

* lint

* no license blurb

* cleanup

* enable for main

* do not raise error

* run on branch

* data indentation

* check file existence

* workflow updates

* add push for testing

* syntax

* workflow test

* test github action

* syntax

* allow empty report

* update cron

* pin hash

* newline

* sort by key with prefix omitted

* alphabetize, copyright header

* pylint tests

* lint

* lint

* trailing whitespace?

* lint

* update

* get error types

* allow test

* use output

* only main branch

* licenses check

* results.sarif

* revert

* license updates

* add upstream

* replace Requests library with urllib, remove pylint wrapper

* lint

* undo license

* clone test nit

* isinstance

* DEPS formatting

Co-authored-by: Zachary Anderson <zanderso@users.noreply.github.com>

* use subprocess.check_output

* lint

* lint

* review syntax from comments

* remove line

* more description in error

* lint

* fix checkout path

* remove duplicate eval

* lint

* lint

* lint

* clone-test mkdir and cleanup

* use shutil.rmtree for non-empty dir

* lint

* linting

* linting

* var name

* Update ci/deps_parser_tests.py

Co-authored-by: Zachary Anderson <zanderso@users.noreply.github.com>

* Update ci/deps_parser_tests.py

Co-authored-by: Zachary Anderson <zanderso@users.noreply.github.com>

* more description

* lint

* refactor deps file parsing

* early return

* lint

Co-authored-by: Zachary Anderson <zanderso@users.noreply.github.com>

.github/workflows/third_party_scan.yml[Added - diff]
DEPS[diff]
ci/deps_parser.py[diff]
ci/deps_parser_tests.py[Added - diff]
ci/scan_flattened_deps.py[Added - diff]

5 files changed

tree: 0248d9d65f53a5a95190f5d9b1d53534d68c3c01

README.md

Flutter Engine

Flutter is Google's SDK for crafting beautiful, fast user experiences for mobile, web, and desktop from a single codebase. Flutter works with existing code, is used by developers and organizations around the world, and is free and open source.

The Flutter Engine is a portable runtime for hosting Flutter applications. It implements Flutter's core libraries, including animation and graphics, file and network I/O, accessibility support, plugin architecture, and a Dart runtime and compile toolchain. Most developers will interact with Flutter via the Flutter Framework, which provides a modern, reactive framework, and a rich set of platform, layout and foundation widgets.

If you want to run/contribute to Flutter Web engine, more tooling can be found at felt. This is a tool written to make web engine development experience easy.

If you are new to Flutter, then you will find more general information on the Flutter project, including tutorials and samples, on our Web site at Flutter.dev. For specific information about Flutter's APIs, consider our API reference which can be found at the docs.flutter.dev.

Flutter is a fully open source project, and we welcome contributions. Information on how to get started can be found at our contributor guide.