search

dotnet / fsharp

The F# compiler, F# core library, F# language service, and F# tooling integration for Visual Studio
https://dotnet.microsoft.com/languages/fsharp
MIT License
3.82k stars 773 forks source link

Move to 1ES SBOM from the one we use in Arcade #17265

Closed vzarytovskii closed 3 weeks ago

vzarytovskii commented 1 month ago

We need to disable arcade's SBOM generation and use 1ES one in VSIX, otherwise our insertions might be blocked by the end of June there's no deadline as for now.

We might need to see how Roslyn does that, I presume @jjonescz might've done it for Roslyn?

jjonescz commented 1 month ago

We need to disable arcade's SBOM generation and use 1ES one in six, otherwise our insertions might be blocked by the end of June.

Interesting, I didn't know that. What does "in six" means in this sentence?

I presume @jjonescz might've done it for Roslyn?

No, we currently use arcade's SBOM generation and have the 1ES one disabled. But I will take a look.

T-Gro commented 1 month ago

Probably was meant to be "vsix" ?

vzarytovskii commented 1 month ago

Yeah, it's VSIX, fat fingered six. I, for some reason, was under the impression that you also moved to it. We as well use arcade's one for now.

vzarytovskii commented 1 month ago

No, we currently use arcade's SBOM generation and have the 1ES one disabled. But I will take a look.

Yeah, same. We use arcade's one, and 1es is disabled for us.

jjonescz commented 3 weeks ago

Is this really fixed? You still have 1ES SBOM generation disabled:

https://github.com/dotnet/fsharp/blob/a4666e226f6f37c29128b37361175a52bf09c282/azure-pipelines.yml#L73-L75

vzarytovskii commented 3 weeks ago

No, it got fixed (our sbom check was failing), but it's not yet moved to 1ES from Arcade, I will keep this one open.

vzarytovskii commented 3 weeks ago

https://vsdrop.corp.microsoft.com/file/v1/Products/internal/dotnet-fsharp/dev17.11/20240605.1;Microsoft.FSharp.vsman manifest seems to be correct though for the latest insertion.

psfinaki commented 3 weeks ago

The latest insertion was all green: https://dev.azure.com/devdiv/DevDiv/_git/VS/pullrequest/556072 I am keeping on eye on insertions, we didn't get new ones since then, but things look hopeful.

vzarytovskii commented 3 weeks ago

The latest insertion was all green: https://dev.azure.com/devdiv/DevDiv/_git/VS/pullrequest/556072 I am keeping on eye on insertions, we didn't get new ones since then, but things look hopeful.

It being green might not be enough, steps need to actually check manifests, and they (manifests) have toe actually have all the sbom json files in place.

KevinRansom commented 3 weeks ago

This is fixed, our build works correctly again. And we don't really need to move away from arcade. The vscore guy I spoke to said "It probably does a better job than ours" which amused me.