Avoid alerting CG when an intermediate nupkg contains "vulnerable" dependencies #13935
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…pendencies. This change resolves dotnet/source-build#3559. When a repo restores the source build intermediates and places them in the package cache, it's essentially populating a local nuget feed. This feed should as a set of packages that _may_ be used, but are not necessarily used. When a package is restored from this feed, it is extracted and appears in the package root. Component Detection, unfortunately, picks up any .nupkg file that exists under the source or artifacts directories, which picks up the local package cache, even if those packages are not used by the repo. This tends to generate noise for repos because of SBRP's contents. To fix this issue, we apply two changes: - Delete the intermediate nupkg's extracted location after populating cache - The PackageReferences used to obtain the source build intermediates populate the nuget package root. We then copy the nupkg contents (nupkgs themselves) into the package cache. At this point, the original extracted nupkg is of no use. Deleting it removes one location where CG may detect .nupkgs that are available, but not necessarily used, by the repo. - Use an explicit CG scanning step that excludes the package cache - Alter the source-build template to exclude the package cache (local feed). This leaves the nuget package root "cleaner" as it should contain only .nupkg files that are actually utilized by the repo, and detection will include only the packages that are actually used by the repo.
mmitche
force-pushed
the
delete-intermediate-dir-after-populating-cache
branch
from
1c3b051 to
2025b01
Compare
oleksandr-didyk
previously approved these changes
Aug 2, 2023
mthalman
reviewed
Aug 2, 2023
mthalman
approved these changes
Aug 2, 2023
This was referenced Dec 7, 2023
Closed
Merged
Merged
Merged
This was referenced Dec 8, 2023
mikem8361
pushed a commit
to dotnet/diagnostics
that referenced
this pull request
Dec 9, 2023
Prebuilt detection no longer detects Microsoft.SourceBuild.Intermediates as prebuilts due to dotnet/arcade#13935. Addresses dotnet/source-build#3010
rainersigwald
pushed a commit
to dotnet/msbuild
that referenced
this pull request
Dec 12, 2023
Prebuilt detection no longer detects Microsoft.SourceBuild.Intermediates as prebuilts due to dotnet/arcade#13935. Addresses dotnet/source-build#3010
|
Is it possible to backport this change into release/8.0? Asking as command-line-utils downgrades from Arcade 9 to Arcade 8 because of the .NET SDK requirement. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change resolves dotnet/source-build#3559.
When a repo restores the source build intermediates and places them in the package cache, it's essentially populating a local nuget feed. This feed should as a set of packages that may be used, but are not necessarily used. When a package is restored from this feed, it is extracted and appears in the package root. Component Detection, unfortunately, picks up any .nupkg file that exists under the source or artifacts directories, which picks up the local package cache, even if those packages are not used by the repo. This tends to generate noise for repos because of SBRP's contents.
To fix this issue, we apply two changes:
This leaves the nuget package root "cleaner" as it should contain only .nupkg files that are actually utilized by the repo, and detection will include only the packages that are actually used by the repo.
To double check: