Add suppression support for fetch_all.py vulnerability scan

Adds a suppressions file for the Dependency Check gradle plugin. Also improves our error message to make it clearer in the noisy gradle output. Bug: 1114909 Change-Id: Iabed86d80c9a68b2e021940eb948074b09161046 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2354893 Commit-Queue: Mohamed Heikal <mheikal@chromium.org> Reviewed-by: Adrian Taylor <adetaylor@chromium.org> Cr-Commit-Position: refs/heads/master@{#797893}

Add suppression support for fetch_all.py vulnerability scan
Adds a suppressions file for the Dependency Check gradle plugin. Also improves our error message to make it clearer in the noisy gradle output. Bug: 1114909 Change-Id: Iabed86d80c9a68b2e021940eb948074b09161046 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2354893 Commit-Queue: Mohamed Heikal <mheikal@chromium.org> Reviewed-by: Adrian Taylor <adetaylor@chromium.org> Cr-Commit-Position: refs/heads/master@{#797893}
5df5276f · Mohamed Heikal · Commit Bot · e74b31d7 · 5df5276f · 5df5276f
Commit 5df5276f authored Aug 13, 2020 by Mohamed Heikal Committed by Commit Bot Aug 13, 2020
3 changed files
--- a/third_party/android_deps/build.gradle
+++ b/third_party/android_deps/build.gradle
@@ -27,6 +27,7 @@ repositories {
 dependencyCheck {
    // Any known vulnerability of any severity will cause the build to fail.
    failBuildOnCVSS = 0
+    suppressionFile = file("vulnerability_supressions.xml")
 }

 dependencies {

--- a/third_party/android_deps/fetch_all.py
+++ b/third_party/android_deps/fetch_all.py
@@ -55,6 +55,10 @@ _ANDROID_DEPS_LIBS_SUBDIR = os.path.join(_ANDROID_DEPS_SUBDIR, 'libs')
 # Location of the buildSrc directory used implement our gradle task.
 _GRADLE_BUILDSRC_PATH = os.path.join(_ANDROID_DEPS_SUBDIR, 'buildSrc')

+# Location of the suppressions file for the dependency checker plugin
+_GRADLE_SUPRESSIONS_PATH = os.path.join(_ANDROID_DEPS_SUBDIR,
+                                        'vulnerability_supressions.xml')
+
 _JAVA_HOME = os.path.join(_CHROMIUM_SRC, 'third_party', 'jdk', 'current')
 _JETIFY_PATH = os.path.join(_CHROMIUM_SRC, 'third_party',
                            'jetifier_standalone', 'bin',
@@ -414,6 +418,9 @@ def main():
        build_gradle_path,
        _GRADLE_BUILDSRC_PATH:
        os.path.join(args.git_dir, _ANDROID_DEPS_SUBDIR, "buildSrc"),
+        _GRADLE_SUPRESSIONS_PATH:
+        os.path.join(args.git_dir, _ANDROID_DEPS_SUBDIR,
+                     "vulnerability_supressions.xml"),
    }

    if not args.ignore_licenses:
@@ -471,15 +478,19 @@ def main():
        try:
            subprocess.run(gradle_cmd, check=True)
        except subprocess.CalledProcessError:
+            report_path = os.path.join(report_dst,
+                                       'dependency-check-report.html')
            logging.error(
                textwrap.dedent("""
+                   =============================================================================
                   A package has a known vulnerability. It may not be in a package or packages
                   which you just added, but you need to resolve the problem before proceeding.
-                   Please see the vulnerability information in %s. If you can't easily fix it by
-                   rolling the package to a fixed version now, please file a crbug of type=
-                   Bug-Security providing all relevant information, and then rerun this command
-                   with --ignore-vulnerabilities.
-                   """ % report_dst))
+                   If you can't easily fix it by rolling the package to a fixed version now,
+                   please file a crbug of type= Bug-Security providing all relevant information,
+                   and then rerun this command with --ignore-vulnerabilities.
+                   The html version of the report is avialable at: {}
+                   =============================================================================
+                   """.format(report_path)))
            if not args.ignore_vulnerabilities:
                raise
        finally:

--- a/third_party/android_deps/vulnerability_supressions.xml
+++ b/third_party/android_deps/vulnerability_supressions.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+   <suppress until="2020-12-01Z">
+      <notes><![CDATA[
+      Suppress kotlin vulernability. Only affects build tools, not shipped in chrome. Packages that depend on this have yet to be updated.
+      ]]></notes>
+      <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib@.*$</packageUrl>
+      <cve>CVE-2020-15824</cve>
+   </suppress>
+   <suppress until="2020-12-01Z">
+    <notes><![CDATA[
+    Suppress kotlin vulernability. Only affects build tools, not shipped in chrome. Packages that depend on this have yet to be updated.
+    ]]></notes>
+    <packageUrl regex="true">^pkg:maven/org\.jetbrains\.kotlin/kotlin\-stdlib\-common@.*$</packageUrl>
+    <cve>CVE-2020-15824</cve>
+  </suppress>
+</suppressions>