Address component government alerts #5308
Conversation
| <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" GeneratePathProperty="true" /> | ||
| <!-- System.Security.Cryptography.Xml is a dependency of Microsoft.Build.Tasks.Core. Therefore, we have assigned the same ExcludeAssets value. --> | ||
| <PackageReference Include="System.Security.Cryptography.Xml" ExcludeAssets="Runtime" /> | ||
| <PackageReference Include="System.Security.Cryptography.Pkcs" /> |
There was a problem hiding this comment.
No ExcludeAssets="runtime" here otherwise IlMerge fails.
There was a problem hiding this comment.
Here is the difference between current branch and dev for deps.json file.
Please note here 2 screenshots:
Left side current branch and right is dev branch.
2.
There was a problem hiding this comment.
I believe this looks OK, although I'm not sure why the ILMerge issue came up because of this change? I suppose the worst side effect is there's a change in nuget.exe payload with this package, but I hope someone else understands the cause and its implications better than I do.
Ideally, @zivkan would be the best to approve in case he knows more having recently looked at this package and CG.
Also, there's a lot of build links in the description, but those will all be lost in a short timeframe, as they expire. Consider putting whatever detail you want directly into the PR.
zivkan
left a comment
zivkan
left a comment
There was a problem hiding this comment.
I missed this in my own PR because I didn't expect CG to be "green" when there's an alert in the PR build. I see that in official builds that the component detection task is orange.
@erdembayar can you please figure out why official and PR builds behave differently (I'm sure it's related to some build variable), and fix the PR pipeline to also be orange, so we can more easily see when our PRs don't fix CG issues correctly.
src/NuGet.Core/NuGet.Build.Tasks.Console/NuGet.Build.Tasks.Console.csproj
Outdated
Show resolved
Hide resolved
zivkan
dismissed
their stale review
as per my review comments, I think this might actually cause insertion failures in the .NET SDK
|
I inquired about this, below is answer: That means we couldn't up light up orange build in private pipeline unless we classify as production, I believe we're not going to do it, because it would cause ton of other unnecessary compliance warnings. |
There was a problem hiding this comment.
@nkolev92
I added deps.json file comparison for each changes after latest change. Please review again.
|
|
||
|
|
||
| <ItemGroup Condition=" '$(IsCore)' == 'true' "> | ||
| <PackageReference Include="System.Security.Cryptography.Pkcs" ExcludeAssets="Compile"/> |
There was a problem hiding this comment.
@nkolev92
Here is the difference between current branch and dev for deps.json file.
Left side current branch and right is dev branch.
| <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" GeneratePathProperty="true" /> | ||
| <!-- System.Security.Cryptography.Xml is a dependency of Microsoft.Build.Tasks.Core. Therefore, we have assigned the same ExcludeAssets value. --> | ||
| <PackageReference Include="System.Security.Cryptography.Xml" ExcludeAssets="Runtime" /> | ||
| <PackageReference Include="System.Security.Cryptography.Pkcs" /> |
There was a problem hiding this comment.
Here is the difference between current branch and dev for deps.json file.
Please note here 2 screenshots:
Left side current branch and right is dev branch.
2.
| <PackageReference Include="Microsoft.Build.Utilities.Core" ExcludeAssets="runtime" /> | ||
| <!-- System.Security.Cryptography.Xml is a dependency of Microsoft.Build.Tasks.Core. Therefore, we have assigned the same ExcludeAssets value. --> | ||
| <PackageReference Include="System.Security.Cryptography.Xml" ExcludeAssets="runtime" /> | ||
| <PackageReference Include="System.Security.Cryptography.Pkcs" ExcludeAssets="compile" /> |
There was a problem hiding this comment.
Here is the difference between current branch and dev for deps.json file.
Left side current branch and right is dev branch.
2.
* Override vulnerable transitive dependency to fix GC alerts
…#5332) * Address component government alerts (#5308) * Override vulnerable transitive dependency to fix GC alerts * Update System.Security.Cryptography.Pkcs version (#5289) --------- Co-authored-by: Erick Yondon <[email protected]> Co-authored-by: Andy Zivkovic <[email protected]>
* Override vulnerable transitive dependency to fix GC alerts
* Override vulnerable transitive dependency to fix GC alerts
…#5332) * Address component government alerts (#5308) * Override vulnerable transitive dependency to fix GC alerts * Update System.Security.Cryptography.Pkcs version (#5289) --------- Co-authored-by: Erick Yondon <[email protected]> Co-authored-by: Andy Zivkovic <[email protected]>
Bug
Fixes: https://github.com/NuGet/Client.Engineering/issues/2372
Regression? Last working version:
Description
Recently #5289 upgraded System.Security.Cryptography.Pkcs to non-vulnerable version, still GC alert persists.
NuGet.Build.Tasks.Pack.csprojwe need to removeExcludeAssets="runtime" />because this one is doing ILmerge, without this ilmerge fails with strong name signature problem, see here.GC alert is no longer present in CI build after this fix: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=8058016&view=logs&j=cb98efd6-7062-56ef-f642-0176540bbe0a&t=f95ba3d8-e30a-5687-3fc7-3bc14bb0710b&l=2327
PR Checklist
PR has a meaningful title
PR has a linked issue.
Described changes
Tests
Documentation