Android: gradle dependencyCheckAnalyze.

Each time a dependency is changed, the script will now check for known
vulnerabilities. This is not perfect since ideally we'd be checking on
a regular cadence; it's likely that equivalent functionality will be
moved into Vomit or some other automated system in the future, but this
is a good interim step to ensure that a large fraction of Chrome's
open-source dependencies (212 out of 717) have some automated monitoring
for vulnerabilities, where they previously had only manual monitoring.

Testing done:
* Add this line to build.gradle and ensure fetch_all.py fails
  with the desired diagnostics.
   compile "org.jetbrains.kotlin:kotlin-stdlib:1.2.70"
* Add --ignore-vulnerabilities and ensure it continues.

Bug: 1105911
Bug: 895969
Change-Id: If017d73765ef366959595facb000fc52a528cd08
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2317706
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Commit-Queue: Peter Wen <wnwen@chromium.org>
Reviewed-by: Andrew Grieve <agrieve@chromium.org>
Reviewed-by: Peter Wen <wnwen@chromium.org>
Cr-Commit-Position: refs/heads/master@{#791951}

third_party/android_deps/README.chromium

@@ -36,3 +36,7 @@ third_party/android_deps
 
 Instructions for adding/updating dependencies are in:
     //third_party/android_deps/README.md
+
+Vulnerability detection: fetch_all.py runs 'gradle dependencyCheckAnalyze' to look
+for known vulnerabilities each time the script is run. It is expected that Vomit
+(go/vomit) will absorb this responsibility in future.

third_party/android_deps/build.gradle

@@ -4,6 +4,19 @@
 
 apply plugin: ChromiumPlugin
 
+buildscript {
+  repositories {
+    maven {
+      url "https://plugins.gradle.org/m2/"
+    }
+  }
+  dependencies {
+    classpath "org.owasp:dependency-check-gradle:5.3.2.1"
+  }
+}
+
+apply plugin: "org.owasp.dependencycheck"
+
 repositories {
     mavenCentral()
     maven {
@@ -11,6 +24,11 @@ repositories {
     }
 }
 
+dependencyCheck {
+    // Any known vulnerability of any severity will cause the build to fail.
+    failBuildOnCVSS = 0
+}
+
 dependencies {
     // Note about the configuration names: they are defined in buildSrc/ChromiumPlugin
 

third_party/android_deps/fetch_all.py

@@ -23,6 +23,7 @@ import contextlib
 import fnmatch
 import logging
 import tempfile
+import textwrap
 import os
 import re
 import shutil
@@ -384,6 +385,9 @@ def main():
     parser.add_argument('--ignore-licenses',
                         help='Ignores licenses for these deps.',
                         action='store_true')
+    parser.add_argument('--ignore-vulnerabilities',
+                        help='Ignores vulnerabilities for these deps.',
+                        action='store_true')
     parser.add_argument('-v',
                         '--verbose',
                         dest='verbose_count',
@@ -403,8 +407,6 @@ def main():
         raise Exception('Not a directory: ' + abs_git_dir)
 
     build_gradle_path = os.path.join(args.git_dir, _ANDROID_DEPS_BUILD_GRADLE)
-    build_gradle_abs_path = os.path.join(abs_git_dir,
-                                         _ANDROID_DEPS_BUILD_GRADLE)
     # The list of files and dirs that are copied to the build directory by this
     # script. Should not include _UPDATED_GIT_FILES.
     copied_paths = {
@@ -444,6 +446,46 @@ def main():
             CopyFileOrDirectory(os.path.join(_CHROMIUM_SRC, path),
                                 os.path.join(build_dir, dest))
 
+        logging.info(
+            'Running Gradle dependencyCheckAnalyze. This may take a few minutes the first time.'
+        )
+        # Not run as part of the main gradle command below
+        # such that we can provide specific diagnostics in case
+        # of failure of this build stage.
+        gradle_cmd = [
+            gradle_wrapper_path,
+            '-b',
+            os.path.join(build_dir, build_gradle_path),
+            'dependencyCheckAnalyze',
+        ]
+        if debug:
+            gradle_cmd.append('--debug')
+
+        report_src = os.path.join(build_dir, _ANDROID_DEPS_SUBDIR, 'build',
+                                  'reports')
+        report_dst = os.path.join(_CHROMIUM_SRC, _ANDROID_DEPS_SUBDIR,
+                                  'vulnerability_reports')
+        if os.path.exists(report_dst):
+            shutil.rmtree(report_dst)
+
+        try:
+            subprocess.run(gradle_cmd, check=True)
+        except subprocess.CalledProcessError:
+            logging.error(
+                textwrap.dedent("""
+                   A package has a known vulnerability. It may not be in a package or packages
+                   which you just added, but you need to resolve the problem before proceeding.
+                   Please see the vulnerability information in %s. If you can't easily fix it by
+                   rolling the package to a fixed version now, please file a crbug of type=
+                   Bug-Security providing all relevant information, and then rerun this command
+                   with --ignore-vulnerabilities.
+                   """ % report_dst))
+            if not args.ignore_vulnerabilities:
+                raise
+        finally:
+            if os.path.exists(report_src):
+                CopyFileOrDirectory(report_src, report_dst)
+
         logging.info('Running Gradle.')
         # This gradle command generates the new DEPS and BUILD.gn files, it can
         # also handle special cases.