chromium/src
0
Fork 0
Code Activity

Adding CPEs for a few dependencies.

Browse Source 
CPEs are the way that MITRE tracks different projects and versions, and
that's the input required by Vomit, Google's automated vulnerability
notification system. At present Vomit is unable to identify the versions
for these components and is therefore reporting the wrong CVEs in crbugs.

Adding this CPEPrefix line will enable Vomit to notify for any
vulnerabilities affecting these versions.

This is the first such change to README.chromium files. If successful,
CPEPrefix lines will be added to many others too.

Bug: 895969
Change-Id: Ibec5adf9069cdc20e40fb13658e7b056e938f5ce
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2053847
Reviewed-by: Charlie Reis <creis@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Commit-Queue: Adrian Taylor <adetaylor@chromium.org>
Auto-Submit: Adrian Taylor <adetaylor@chromium.org>
Cr-Commit-Position: refs/heads/master@{#746237}
This commit is contained in:
Adrian Taylor
2020-03-03 05:00:07 +00:00
committed by Commit Bot
parent 586bdb3062
commit 0a06ec3a93
7 changed files with 24 additions and 0 deletions

18
docs/adding_to_third_party.md

@ -123,6 +123,24 @@ into the product and does any of the following:
* Collects new data
* Influences or sets security-related policy (including the user experience)
One of the fields is CPEPrefix. This is used by Chromium and Google systems to
spot known upstream security vulnerabilities, and ensure we merge the fixes
into our third-party copy. These systems are not foolproof, so as the OWNER,
it's up to you to keep an eye out rather than solely relying on these
automated systems. But, adding CPEs decreases the chances of us missing
vulnerabilities, so they should always be added if possible.
The CPE is a common format shared across the industry; you can look up the CPE
for your package [here](https://nvd.nist.gov/products/cpe/search). Please use
CPE format 2.2. When searching for a CPE, you may find that there is not yet
a CPE for the specific upstream version you're using. This is normal, as CPEs
are typically allocated only when a vulnerability is found. You should follow
the version number convention such that, when that does occur in future, we'll
be notified. If no CPE is available, please specify "unknown".
You may sometimes find that your package lacks a CPE, in which case this line
can be omitted. If it does have a CPE, though, you should specify it.
### Add a LICENSE file and run related checks
You need a LICENSE file. Example:

1
third_party/README.chromium.template vendored

@ -8,6 +8,7 @@ License: The license under which the package is distributed. Standard forms are
License File: (OPTIONAL) File that contains a copy of the package's license. Use the special value NOT_SHIPPED to indicate that the package is not included in the shipped product, so its license does not need to be included in about:credits and no license file is required.
Security Critical: Either yes or no depending on whether this package is shipped in releases. For example openssl is critical where cygwin is not.
License Android Compatible: (OPTIONAL) Whether the package uses a license compatible with Android. Required only if the package is compatible and the 'License' field uses a non-standard value.
CPEPrefix: (OPTIONAL) A 'common platform enumeration' version 2.2, as per https://nvd.nist.gov/products/cpe/search, which represents the upstream package. This will be used to report known vulnerabilities in the upstream software package, such that we can be sure to merge fixes for those vulnerabilities. Please ensure you're using the closest applicable upstream version, according to the standard format for the CPE for that package. For example, cpe:/a:xmlsoft:libxslt:1.0.10. If no CPE is available for the package, please specify "unknown".
Description:
A short description of what the package is and is used for.

1
third_party/expat/README.chromium vendored

@ -2,6 +2,7 @@ Name: Expat XML Parser
Short Name: expat
URL: https://github.com/libexpat/libexpat
Version: R_2_2_9-45-g63abbcd
CPEPrefix: cpe:/a:libexpat:expat:2.2.9
Date: 20191122
Revision: 63abbcdb3b743049bb3ee9e962a3280a3dad4191
Security Critical: yes

1
third_party/harfbuzz-ng/README.chromium vendored

@ -2,6 +2,7 @@ Name: harfbuzz-ng
Short Name: harfbuzz-ng
URL: http://harfbuzz.org
Version: 2.6.4-458
CPEPrefix: cpe:/a:harfbuzz_project:harfbuzz:2.6.4
Date: 20200206
Revision: 63b8190db884d9ae88a80336067eab539a44b882
Security Critical: yes

1
third_party/libpng/README.chromium vendored

@ -1,6 +1,7 @@
Name: libpng
URL: http://libpng.org/
Version: 1.6.37
CPEPrefix: cpe:/a:libpng:libpng:1.6.37
Security Critical: yes
License: libpng license
License Android Compatible: yes

1
third_party/libvpx/README.chromium vendored

@ -1,6 +1,7 @@
Name: libvpx
URL: http://www.webmproject.org
Version: v1.8.2
CPEPrefix: cpe:/a:john_koleszar:libvpx:1.8.2
License: BSD
License File: source/libvpx/LICENSE
Security Critical: yes

1
third_party/libxslt/README.chromium vendored

@ -1,6 +1,7 @@
Name: libxslt
URL: http://xmlsoft.org/XSLT
Version: 3653123f992db24cec417d12600f4c67388025e3
CPEPrefix: cpe:/a:xmlsoft:libxslt:1.1.34
Security Critical: yes
License: MIT
License File: src/Copyright