STS 测试信息更新及豁免流程

4月份起,SECUTITY PATCH 2019-05-01及之后的版本需要通过所有STS测试。


We’re starting the waiver process for STS from April

We appreciate your collaboration with the new process to roll out the STS (Security Test Suite), a test suite that helps validate whether your Android Software build is vulnerable to  CVEs (common vulnerabilities and exposures) that were reported in the security bulletins up to the reported SECURITY_PATCH.

Starting April, all software builds declaring the SECURITY_PATCH 2019-05-01 or later will only be approved when every STS failure is addressed. We recognize there will be cases where waivers will be needed, so we are planning to align the process dealing with the STS test failures with the process you already are familiar with for other test suites (CTS, GTS) as below.

Upon encountering a failure, you must:

  1. Analyze whether your software build is actually vulnerable to the CVE or if the STS test is inaccurately reporting the build as vulnerable.  If you believe the STS test is inaccurate, do the following:
    1. Prepare a statement indicating why the software build is not vulnerable (e.g. if you did not take the patch directly from AOSP, provide the patch you used or if you believe your device is not vulnerable for other reasons articulate those reasons).
    2. Request a waiver for the STS failure, accompanied with the other information requested in the Buganizer template, by assigning it to,.
  1. Upon receipt of a complete waiver bug, the Android Security team will review the request. If the request is found reasonable, the Buganizer item will be added to a waiver hotlist to indicate that the waiver is approved similar to how CTS and GTS failures are being reviewed.
  2. If your build is actually vulnerable to the CVE, there will be no waivers. Address the root cause and submit a new software build approval request.

We also want to use this opportunity to clarify that the “partners are not required to pass STS” in the previous announcement must not be interpreted that it is acceptable to override the CDD section 3.2.2 requirement that a software build has addressed all the CVEs leading up to the reported  SECURITY_PATCH level. It only means that the GMS license approval is not blocked by resolving the technical failures encountered while running STS or the test failure that is incorrectly reported by STS.



从4月开始,声明SECURITY_PATCH 2019-05-01或更高版本的所有软件版本仅在每个STS故障得到解决时才会被批准。我们认识到将会出现需要弃权的情况,因此我们计划将处理STS测试失败的过程与您已熟悉的其他测试套件(CTS,GTS)的过程对齐,如下所示。







电子邮件地址不会被公开。 必填项已用*标注