search

Azure / azure-sdk-for-cpp

This repository is for active development of the Azure SDK for C++. For consumers of the SDK we recommend visiting our versioned developer docs at https://azure.github.io/azure-sdk-for-cpp.
MIT License
181 stars 127 forks source link

Secure Supply Chain Analysis fails in Azure DevOps CI pipeline #5117

Open eoumenwa opened 1 year ago

eoumenwa commented 1 year ago

How can I skip the check to avoid this error?

Starting Pipeline Configuration Security Analysis: 2023-11-06T18:14:22.8005361Z Azure Artifacts Configuration Analysis found 837 package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/cfs for more details. If you need additional help, email (feedprotection@microsoft.com). 2023-11-06T18:14:22.8061421Z ##[warning]Container security analysis found 1 violations. This repo has one or more docker files having references to images from external registries. Please review https://aka.ms/containers-security-guidance to remove the reference of container images from external registries. Please reach out via teams (https://aka.ms/cssc-teams) or email (cssc@microsoft.com) for any questions or clarifications.

2023-11-06T18:14:22.8088975Z ##[error]NuGet Security Analysis found 1 NuGet package configuration file in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/nugetmultifeed for more details. If you need additional help, email (feedprotection@microsoft.com).

2023-11-06T18:14:24.2599897Z ##[section]Finishing: Secure Supply Chain Analysis (auto-injected by policy)

LarryOsterman commented 1 year ago

QQ: Does the CI pipeline fail for you, or is it just a warning?

Also: Could you please include a link to the failing pipeline? The only failing pipeline in the public repo that I see is the keyvault pipeline and that is failing for an unrelated error.

eoumenwa commented 1 year ago

It fails. Here is the link

https://dev.azure.com/eumenwa/DockerWebApp/_build/results?buildId=194&view=logs&j=fd490c07-0b22-5182-fac9-6d67fe1e939b&t=304a745d-52db-57c4-6ad1-5ecd8595ddc2&l=956

On Monday, November 6, 2023 at 03:07:08 PM EST, Larry Osterman ***@***.***> wrote:

QQ: Does the CI pipeline fail for you, or is it just a warning?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

LarryOsterman commented 1 year ago

I don't have access to that pipeline :(. But from the URL, it doesn't appear to be an Azure SDK for C++ pipeline.

Could you help us understand why you believe that this is an Azure SDK for C++ issue (note: There are at least one dockerfile in the azure sdk for C++ repo that might trigger this, but that dockerfile has been annotated to mute the error).