Devise a strategy to deal with component governance alerts in SBRP #4838
Assignees
Labels
area-sbrp
Source build reference packages
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The SBRP repo has component governance (CG) alerts reported for reference packages it produces that have actual CVEs. The CG alerts against the reference packages are false positives given the packages do not contain any implementations.
If these packages are no longer referenced they will get removed by the periodic cleanup of unreferenced pack. It is possible however that references would remain. The scenario is SBRP A reference B (with CVE). Product repos reference A but explicitly reference a newer B to lift the version to address the CVE. In this scenario B could never be "cleaned up. This would not be a security issue because B is a reference only package.
Currently CGs in SBRP are being addressed by this process. This is a waste of resources for no benefit other than to check a box. The customizations made to "lift" references breaks our ability to easily regenerate the reference packages as improvements are made to the tooling - #3978.
Ideally CG would be configured in such a way to ignore the reference packages in SBRP. It should still scan the repo's infrastructure.
Related to #3559
The text was updated successfully, but these errors were encountered: