From f896ca2ca61f482526e25ea092b11eadaa682c68 Mon Sep 17 00:00:00 2001 From: "dotnet-maestro[bot]" <42748379+dotnet-maestro[bot]@users.noreply.github.com> Date: Fri, 17 Jan 2025 09:43:31 -0600 Subject: [PATCH 1/4] Update dependencies from https://github.com/dotnet/arcade build 20250110.1 (#1120) Microsoft.DotNet.Arcade.Sdk From Version 8.0.0-beta.24623.2 -> To Version 8.0.0-beta.25060.1 Co-authored-by: dotnet-maestro[bot] --- eng/Version.Details.xml | 4 ++-- eng/common/templates-official/job/publish-build-assets.yml | 2 +- eng/common/templates-official/post-build/common-variables.yml | 2 +- eng/common/templates/job/job.yml | 2 +- global.json | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/eng/Version.Details.xml b/eng/Version.Details.xml index c963a7433a..a49be351e5 100644 --- a/eng/Version.Details.xml +++ b/eng/Version.Details.xml @@ -11,9 +11,9 @@ 30ed464acd37779c64e9dc652d4460543ebf9966 - + https://github.com/dotnet/arcade - 278b1dda181ab18a9fbed73da998e50d128eae21 + c255aae7f2b128fa20a4441f0e192c3c53561621 diff --git a/eng/common/templates-official/job/publish-build-assets.yml b/eng/common/templates-official/job/publish-build-assets.yml index 0117328800..b2ccd9df68 100644 --- a/eng/common/templates-official/job/publish-build-assets.yml +++ b/eng/common/templates-official/job/publish-build-assets.yml @@ -86,7 +86,7 @@ jobs: arguments: > -task PublishBuildAssets -restore -msbuildEngine dotnet /p:ManifestsPath='$(Build.StagingDirectory)/Download/AssetManifests' - /p:MaestroApiEndpoint=https://maestro-prod.westus2.cloudapp.azure.com + /p:MaestroApiEndpoint=https://maestro.dot.net /p:PublishUsingPipelines=${{ parameters.publishUsingPipelines }} /p:OfficialBuildId=$(Build.BuildNumber) condition: ${{ parameters.condition }} diff --git a/eng/common/templates-official/post-build/common-variables.yml b/eng/common/templates-official/post-build/common-variables.yml index c24193acfc..173914f236 100644 --- a/eng/common/templates-official/post-build/common-variables.yml +++ b/eng/common/templates-official/post-build/common-variables.yml @@ -7,7 +7,7 @@ variables: # Default Maestro++ API Endpoint and API Version - name: MaestroApiEndPoint - value: "https://maestro-prod.westus2.cloudapp.azure.com" + value: "https://maestro.dot.net" - name: MaestroApiAccessToken value: $(MaestroAccessToken) - name: MaestroApiVersion diff --git a/eng/common/templates/job/job.yml b/eng/common/templates/job/job.yml index 8ec5c4f2d9..e295031c09 100644 --- a/eng/common/templates/job/job.yml +++ b/eng/common/templates/job/job.yml @@ -128,7 +128,7 @@ jobs: - ${{ if and(eq(parameters.runAsPublic, 'false'), ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}: - ${{ if eq(parameters.enableMicrobuild, 'true') }}: - - task: MicroBuildSigningPlugin@3 + - task: MicroBuildSigningPlugin@4 displayName: Install MicroBuild plugin inputs: signType: $(_SignType) diff --git a/global.json b/global.json index c52f19f423..5b941cbdaf 100644 --- a/global.json +++ b/global.json @@ -3,7 +3,7 @@ "dotnet": "8.0.110" }, "msbuild-sdks": { - "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.24623.2", + "Microsoft.DotNet.Arcade.Sdk": "8.0.0-beta.25060.1", "Microsoft.Build.NoTargets": "3.7.0" } } From 1dd9567ef4d740f9f2488e7e3579d68906f791c6 Mon Sep 17 00:00:00 2001 From: Michael Simons Date: Tue, 28 Jan 2025 14:02:23 -0600 Subject: [PATCH 2/4] Exclude reference packages from CG (#1134) (#1136) --- README.md | 10 +++------- azure-pipelines/builds/ci.yml | 6 ++++++ 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index e7d2a654ad..2dd36df9c7 100644 --- a/README.md +++ b/README.md @@ -80,13 +80,9 @@ targeting pack is needed, please [open a new issue](#filing-issues) to discuss. ## Vulnerable Packages -CVEs may exist for reference packages included in this repo. If they are mitigated by a newer version, the newer version should be added, the vulnerable version should be removed, and references to the vulnerable package within other reference -packages should be upgraded. A comment should be added to indicate when packages were manually upgraded. - -``` xml - - -``` +CVEs may exist for reference packages included in this repo. Because the packages do not contain any +implementation, they do not pose a security risk. CG is configured in this repo to ignore the reference +packages. If product repos migrate off these vulnerable packages, they can be [removed](#cleanup). ## Filing Issues diff --git a/azure-pipelines/builds/ci.yml b/azure-pipelines/builds/ci.yml index 0f527e759b..654ace93eb 100644 --- a/azure-pipelines/builds/ci.yml +++ b/azure-pipelines/builds/ci.yml @@ -25,6 +25,12 @@ extends: template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate parameters: sdl: + componentgovernance: + # All of the SBRPs must be ignored because it is possible some of them are for vulnerable versions. + # Because they are reference only packages they are not vulnerable themselves. + ignoreDirectories: | + artifacts/sb, + src/referencePackages sourceAnalysisPool: name: $(DncEngInternalBuildPool) image: 1es-windows-2022 From 3778045dad8e55b4dddf09ecaf12571ffeec2101 Mon Sep 17 00:00:00 2001 From: Michael Simons Date: Fri, 31 Jan 2025 13:10:01 -0600 Subject: [PATCH 3/4] Backport test fixes from main (#1145) --- azure-pipelines/builds/ci.yml | 2 +- .../GenerateScriptTests.cs | 38 ++++++++++++++----- 2 files changed, 29 insertions(+), 11 deletions(-) diff --git a/azure-pipelines/builds/ci.yml b/azure-pipelines/builds/ci.yml index 654ace93eb..896fef904f 100644 --- a/azure-pipelines/builds/ci.yml +++ b/azure-pipelines/builds/ci.yml @@ -29,7 +29,7 @@ extends: # All of the SBRPs must be ignored because it is possible some of them are for vulnerable versions. # Because they are reference only packages they are not vulnerable themselves. ignoreDirectories: | - artifacts/sb, + artifacts/source-build/self, src/referencePackages sourceAnalysisPool: name: $(DncEngInternalBuildPool) diff --git a/tests/GenerateScriptTests/GenerateScriptTests.cs b/tests/GenerateScriptTests/GenerateScriptTests.cs index 1ddda8b4f4..bb5c4b28e6 100755 --- a/tests/GenerateScriptTests/GenerateScriptTests.cs +++ b/tests/GenerateScriptTests/GenerateScriptTests.cs @@ -3,6 +3,7 @@ using System; using System.Collections.Generic; +using System.Diagnostics; using System.IO; using System.Runtime.InteropServices; using Xunit; @@ -20,20 +21,20 @@ public enum PackageType public static IEnumerable Data => new List { - new object[] { "System.Xml.ReaderWriter", "4.0.11", PackageType.Reference }, + new object[] { "System.Xml.ReaderWriter", "4.3.0", PackageType.Reference }, new object[] { "Microsoft.Extensions.Logging.Abstractions", "7.0.1", PackageType.Reference }, new object[] { "Microsoft.CodeAnalysis.CSharp", "3.11.0", PackageType.Reference }, - new object[] { "System.Security.Cryptography.Pkcs", "7.0.2", PackageType.Reference }, + new object[] { "System.Security.Cryptography.Encoding", "4.3.0", PackageType.Reference }, new object[] { "Microsoft.Build.NoTargets", "3.7.0", PackageType.Text }, }; public string SandboxDirectory { get; set; } public string RepoRoot { get; set; } - public ITestOutputHelper output { get; set; } + public ITestOutputHelper Output { get; set; } public GenerateScriptTests(ITestOutputHelper output) { - this.output = output; + Output = output; RepoRoot = Environment.CurrentDirectory.Substring(0, Environment.CurrentDirectory.IndexOf("artifacts")); SandboxDirectory = Path.Combine(Environment.CurrentDirectory, $"GenerateTests-{DateTimeOffset.UtcNow.ToUnixTimeSeconds().ToString()}"); Directory.CreateDirectory(SandboxDirectory); @@ -45,21 +46,38 @@ public void VerifyGenerateScript(string package, string version, PackageType typ { string command = Path.Combine(RepoRoot, RuntimeInformation.IsOSPlatform(OSPlatform.Windows) ? "generate.cmd" : "generate.sh"); string arguments = $"-p {package},{version} -x -d {SandboxDirectory}"; - string packageSrcDirectory = string.Empty; - string sandboxPackageGeneratedDirecotry = Path.Combine(SandboxDirectory, package.ToLower(), version); + string pkgSrcDirectory; + string pkgSandboxDirectory = Path.Combine(SandboxDirectory, package.ToLower(), version); switch (type) { case PackageType.Reference: - packageSrcDirectory = Path.Combine(RepoRoot, "src", "referencePackages", "src", package.ToLower(), version); + pkgSrcDirectory = Path.Combine(RepoRoot, "src", "referencePackages", "src", package.ToLower(), version); break; case PackageType.Text: arguments += " -t text"; - packageSrcDirectory = Path.Combine(RepoRoot, "src", "textOnlyPackages", "src", package.ToLower(), version); + pkgSrcDirectory = Path.Combine(RepoRoot, "src", "textOnlyPackages", "src", package.ToLower(), version); break; + default: + throw new ArgumentException($"Unknown package type '{type}'"); } - ExecuteHelper.ExecuteProcess(command, arguments, output); - Assert.Empty(ExecuteHelper.ExecuteProcess("git", $"diff --no-index {packageSrcDirectory} {sandboxPackageGeneratedDirecotry}", output, true).StdOut); + Assert.True(Directory.Exists(pkgSrcDirectory), $"Source directory '{pkgSrcDirectory}' does not exist."); + + ExecuteHelper.ExecuteProcessValidateExitCode(command, arguments, Output); + + (Process Process, string StdOut, string StdErr) result = + ExecuteHelper.ExecuteProcess("git", $"diff --no-index {pkgSrcDirectory} {pkgSandboxDirectory}", Output, true); + + string diff = result.StdOut; + if (diff != string.Empty) + { + Assert.Fail($"Regenerated package '{package}, {version}' does not match the checked-in content. {Environment.NewLine}" + + $"{diff}{Environment.NewLine}"); + } + else if (result.Process.ExitCode != 0) + { + Assert.Fail($"Unexpected git diff failure on '{package}, {version}'. {Environment.NewLine}{result.StdErr}{Environment.NewLine}"); + } } } From d73fc552386797322e84fa9b2ef5eaa5369de83c Mon Sep 17 00:00:00 2001 From: Michael Simons Date: Fri, 31 Jan 2025 13:18:58 -0600 Subject: [PATCH 4/4] Fix wrong componentGovernance ignoreDirectories (#1146)