Closed wtgodbe closed 4 years ago
:eyes:
Are you sure the vulnerability warnings are in any way related to the inability to parse the lock file?
Hmm, actually maybe not - I thought the number of 'lock.json' errors corresponded to the number of Component Governance errors, but looks like that's not the case. I'll separate the 2 out.
@mkArtakMSFT one complete warning text is
##[warning]Could not parse Jtokens from F:\workspace\_work\1\s\artifacts\tmp\Release\ContainerSigning\2369\content\Angular-CSharp\ClientApp\package-lock.json file.
[VERBOSE] Could not read component details from file F:\workspace\_work\1\s\artifacts\tmp\Release\ContainerSigning\2369\content\Angular-CSharp\ClientApp\package-lock.json
[INFO] LogFailedReadingFile logged InvalidPackageJsonException: There must be a package.json file at 'F:\workspace\_work\1\s\artifacts\tmp\Release\ContainerSigning\2369\content\Angular-CSharp\ClientApp\package-lock.json' for components to be registered
Questions:
@dougbu ,answering your questions here:
artifacts/tmp/
? We should just chat about this instead. Please put something on my calendar to go over this together.@mkArtakMSFT we want to keep the set of bits we ship stable and deterministic over time with what we've verified. Otherwise we run the risk of an updated version silently installing after we've shipped and that causing issues.
Thanks, yes, I remember now! Exactly this!
@dougbu, because of this, if ignoring the artifacts/tmp
is the way to avoid this error, given that we won't add package.json instead of the package-lock.json, we should do it.
artifacts/tmp
is the folder on the CI where $env:Temp
points. Removing it from the governance check shouldn't break anything because the package-lock.json file in the src/
directory should already have been checked.
@wtgodbe where's the document describing how to add exclusions to the component governance checks?
@dougbu it's an internal doc, I just sent you the .pdf on teams
FYI the component governance task was auto-injected into all of our build jobs, including Code Check and the Test jobs. I think I changed the policy appropriately but haven't noticed a change yet. 🤞
This is going to take more time because the component detection build task's support for excluding folders from the search seems to be broken. I'm going to test scanning our src/, artifacts/bin, artifacts/installers, artifacts/obj, and artifacts/packages folders. Will leave out bin/ and obj/ if they cause any noise.
eb33b9657bac
Part of https://github.com/dotnet/aspnetcore/issues/22240
Happens during component detection. Whole warning text: