Version 3.4.0

Merge 3.4.0-282.4.beta into stable

.gitattributes

@@ -4,6 +4,7 @@
 *.cpp text eol=lf
 *.h text eol=lf
 *.dart text eol=lf
+*.sh text eol=lf
 
 # Explicitly declare text files we want to be normalized.
 *.gyp text

.github/ISSUE_TEMPLATE/2_cherry_pick.yml

@@ -8,25 +8,25 @@ assignees:
   - vsmenon
   - itsjustkevin
 body:
-  - type: input
+  - type: textarea
     id: commit_hash
     attributes:
       label: Commit(s) to merge
-      description: What are the commit hash(es) that have been merged to main?
+      description: What are the changelist(s) that have been merged to main?
     validations:
       required: true
   - type: input
     id: target
     attributes:
       label: Target
-      description: Should this be cherry-picked to beta, stable or both?
+      description: Should the changes be cherry-picked to beta, stable, or both?
     validations:
       required: true
   - type: input
     id: changelist
     attributes:
       label: Prepared changelist for beta/stable
-      description: Gerrit changelist against beta/stable per https://github.com/dart-lang/sdk/wiki/Cherry-picks-to-a-release-channel
+      description: Gerrit changelist(s) against beta and/or stable per https://github.com/dart-lang/sdk/wiki/Cherry-picks-to-a-release-channel
     validations:
       required: true
   - type: textarea
@@ -50,15 +50,11 @@ body:
       description: Describe the reasons, impacted users and functional issues to explain why this should be cherry-picked.
     validations:
       required: true
-  - type: dropdown
+  - type: textarea
     id: risk
     attributes:
       label: Risk
       description: What is the risk level of this cherry-pick?
-      options:
-        - low
-        - medium
-        - high
     validations:
       required: true
   - type: input

.github/extract_deps.py

@@ -0,0 +1,137 @@
+#!/usr/bin/env python3
+#
+# Copyright 2013 The Flutter Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+#
+# Usage: scan_deps.py --deps <DEPS file> --output <parsed lockfile>
+#
+# This script extracts the dependencies provided from the DEPS file and
+# finds the appropriate git commit hash per dependency for osv-scanner
+# to use in checking for vulnerabilities.
+# It is expected that the lockfile output of this script is then
+# uploaded using GitHub actions to be used by the osv-scanner reusable action.
+
+import argparse
+import json
+import os
+import re
+import shutil
+import subprocess
+import sys
+
+SCRIPT_DIR = os.path.dirname(sys.argv[0])
+CHECKOUT_ROOT = os.path.realpath(os.path.join(SCRIPT_DIR, '..'))
+DEP_CLONE_DIR = CHECKOUT_ROOT + '/clone-test'
+DEPS = os.path.join(CHECKOUT_ROOT, 'DEPS')
+
+
+# Used in parsing the DEPS file.
+class VarImpl:
+  _env_vars = {
+      'host_cpu': 'x64',
+      'host_os': 'linux',
+  }
+
+  def __init__(self, local_scope):
+    self._local_scope = local_scope
+
+  def lookup(self, var_name):
+    """Implements the Var syntax."""
+    if var_name in self._local_scope.get('vars', {}):
+      return self._local_scope['vars'][var_name]
+    # Inject default values for env variables.
+    if var_name in self._env_vars:
+      return self._env_vars[var_name]
+    raise Exception('Var is not defined: %s' % var_name)
+
+
+def extract_deps(deps_file):
+  local_scope = {}
+  var = VarImpl(local_scope)
+  global_scope = {
+      'Var': var.lookup,
+      'deps_os': {},
+  }
+  # Read the content.
+  with open(deps_file, 'r') as file:
+    deps_content = file.read()
+
+  # Eval the content.
+  exec(deps_content, global_scope, local_scope)
+
+  if not os.path.exists(DEP_CLONE_DIR):
+    os.mkdir(DEP_CLONE_DIR)  # Clone deps with upstream into temporary dir.
+
+  # Extract the deps and filter.
+  deps = local_scope.get('deps', {})
+  filtered_osv_deps = []
+  for _, dep in deps.items():
+    # We currently do not support packages or cipd which are represented
+    # as dictionaries.
+    if not isinstance(dep, str):
+      continue
+
+    dep_split = dep.rsplit('@', 1)
+    filtered_osv_deps.append({
+          'package': {'name': dep_split[0], 'commit': dep_split[1]}
+      })
+
+  try:
+    # Clean up cloned upstream dependency directory.
+    shutil.rmtree(
+        DEP_CLONE_DIR
+    )  # Use shutil.rmtree since dir could be non-empty.
+  except OSError as clone_dir_error:
+    print(
+        'Error cleaning up clone directory: %s : %s' %
+        (DEP_CLONE_DIR, clone_dir_error.strerror)
+    )
+
+  osv_result = {
+      'packageSource': {'path': deps_file, 'type': 'lockfile'},
+      'packages': filtered_osv_deps
+  }
+  return osv_result
+
+
+def parse_args(args):
+  args = args[1:]
+  parser = argparse.ArgumentParser(
+      description='A script to find common ancestor commit SHAs'
+  )
+
+  parser.add_argument(
+      '--deps',
+      '-d',
+      type=str,
+      help='Input DEPS file to extract.',
+      default=os.path.join(CHECKOUT_ROOT, 'DEPS')
+  )
+  parser.add_argument(
+      '--output',
+      '-o',
+      type=str,
+      help='Output osv-scanner compatible deps file.',
+      default=os.path.join(CHECKOUT_ROOT, 'osv-lockfile.json')
+  )
+
+  return parser.parse_args(args)
+
+
+def write_manifest(deps, manifest_file):
+  output = {'results': [deps]}
+  print(json.dumps(output, indent=2))
+  with open(manifest_file, 'w') as manifest:
+    json.dump(output, manifest, indent=2)
+
+
+def main(argv):
+  args = parse_args(argv)
+  deps = extract_deps(args.deps)
+  write_manifest(deps, args.output)
+  return 0
+
+
+if __name__ == '__main__':
+  sys.exit(main(sys.argv))

.github/workflows/scorecards-analysis.yml

@@ -23,7 +23,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
         with:
           persist-credentials: false
 
@@ -43,7 +43,7 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/third-party-deps-scan.yml

@@ -0,0 +1,55 @@
+name: Third party deps scan
+on:
+  # Only the default branch is supported.
+  branch_protection_rule:
+  push:
+    branches: [ main ]
+  pull_request:
+    types: [ labeled ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  extract-deps:
+    name: Extract Dependencies
+    runs-on: ubuntu-20.04
+    if: ${{ (github.repository == 'dart-lang/sdk' && github.event_name == 'push') || github.event.label.name == 'vulnerability scan' }}
+    permissions:
+      # Needed to upload the SARIF results to code-scanning dashboard.
+      security-events: write
+      contents: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633
+        with:
+          persist-credentials: false
+      - name: "setup python"
+        uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c
+        with:
+          python-version: '3.7.7' # install the python version needed
+      - name: "extract deps, find commit hash, pass to osv-scanner"
+        run: python .github/extract_deps.py --output osv-lockfile-${{github.sha}}.json
+      - name: "upload osv-scanner deps"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3
+        with:
+          # use github.ref in name to avoid duplicated artifacts
+          name: osv-lockfile-${{github.sha}}
+          path: osv-lockfile-${{github.sha}}.json
+          retention-days: 2
+  vuln-scan:
+    name: Vulnerability scanning
+    needs:
+      extract-deps
+    uses: "google/osv-scanner/.github/workflows/osv-scanner-reusable.yml@main"
+    with:
+      # Download the artifact uploaded in extract-deps step
+      download-artifact: osv-lockfile-${{github.sha}}
+      scan-args: |-
+        --lockfile=osv-scanner:osv-lockfile-${{github.sha}}.json
+      fail-on-vuln: false
+    # makes sure the osv-formatted vulns are uploaded
+    permissions:
+      # Needed to upload the SARIF results to code-scanning dashboard.
+      security-events: write
+      contents: read

.gitignore

@@ -111,3 +111,4 @@ tools/xcodebuild
 logs/logs.json
 logs/results.json
 .dart_tool/bisect_dart/
+doc/api/

BUILD.gn

@@ -42,7 +42,6 @@ group("runtime") {
 
   deps = [
     "runtime/bin:dart",
-    "runtime/bin:entrypoints_verification_test",
     "runtime/bin:ffi_test_dynamic_library",
     "runtime/bin:ffi_test_functions",
     "runtime/bin:process_test",
@@ -52,6 +51,10 @@ group("runtime") {
     "utils/dartdev:dartdev",
     "utils/kernel-service:kernel-service",
   ]
+  if (!is_win) {
+    # The test isn't run on windows
+    deps += [ "runtime/bin:entrypoints_verification_test" ]
+  }
 
   # This flag is set in runtime/runtime_args.gni
   # The analyze_snapshot tool is only supported on 64 bit AOT builds running
@@ -188,15 +191,14 @@ if (is_fuchsia) {
       ]
       resource_files = [
         ".dart_tool/package_config.json",
-        "pkg/testing/test/hello_test.dart",
         "tools/addlatexhash.dart",
       ]
       resource_dirs = [
         "pkg/async_helper",
         "pkg/expect",
         "pkg/meta",
         "tests/ffi",
-        "third_party/pkg/ffi",
+        "third_party/pkg/native/pkgs/ffi",
         "third_party/pkg/path",
       ]
       resources = []