search

microsoft / azuredevopslabs

Learn how you can plan smartly, collaborate better, and ship faster with a set of modern development services with Azure DevOps.
https://www.azuredevopslabs.com
MIT License
806 stars 905 forks source link

Secure Supply Chain Analysis fails in Azure DevOps CI pipeline #685

Closed eoumenwa closed 7 months ago

eoumenwa commented 8 months ago

In Exercise 2: Initiate the CI Build and Deployment through code commit, When running the CI pipeline, I get the following Nuget error.

Starting Pipeline Configuration Security Analysis: 2023-11-06T18:14:22.8005361Z Azure Artifacts Configuration Analysis found 837 package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/cfs for more details. If you need additional help, email (feedprotection@microsoft.com). 2023-11-06T18:14:22.8061421Z ##[warning]Container security analysis found 1 violations. This repo has one or more docker files having references to images from external registries. Please review https://aka.ms/containers-security-guidance to remove the reference of container images from external registries. Please reach out via teams (https://aka.ms/cssc-teams) or email (cssc@microsoft.com) for any questions or clarifications.

2023-11-06T18:14:22.8088975Z ##[error]NuGet Security Analysis found 1 NuGet package configuration file in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/nugetmultifeed for more details. If you need additional help, email (feedprotection@microsoft.com).

2023-11-06T18:14:24.2599897Z ##[section]Finishing: Secure Supply Chain Analysis (auto-injected by policy)

Is there a way to skip the security analysis check to avoid this error?

surajshenoy commented 8 months ago

Hi @eoumenwa ,

Thank you for trying the lab and providing the feedback.

Looks like you have tried the "Deploying a Docker based web application to Azure App Service" lab and you are facing the issue during the CI part. Correct me if we are wrong.

The default build pipeline is configured to use Ubuntu agent in the backend, the ubuntu machine will build and push the image to Azure Container registry and it works, as we tried the same post you raised this concern.

Will you please let us know, which agent you are using and in which specific task it is throwing the error to you ?. Need more details regarding the issue to answer.

eoumenwa commented 8 months ago

Error

The error is attached above. It fails in the Secure Supply Chain Analysis task.

I used Ubuntu latest as you can see below

Agent Details:

023-11-06T18:14:12.6014058Z ##[section]Starting: Docker 2023-11-06T18:14:12.8328555Z ##[section]Starting: Initialize job 2023-11-06T18:14:12.8331977Z Agent name: 'Hosted Agent' 2023-11-06T18:14:12.8332698Z Agent machine name: 'fv-az162-509' 2023-11-06T18:14:12.8333207Z Current agent version: '3.227.2' 2023-11-06T18:14:12.8373944Z ##[group]Operating System 2023-11-06T18:14:12.8374273Z Ubuntu 2023-11-06T18:14:12.8374388Z 22.04.3 2023-11-06T18:14:12.8374528Z LTS 2023-11-06T18:14:12.8374639Z ##[endgroup] 2023-11-06T18:14:12.8374806Z ##[group]Runner Image 2023-11-06T18:14:12.8375009Z Image: ubuntu-22.04 2023-11-06T18:14:12.8375215Z Version: 20231030.2.0 2023-11-06T18:14:12.8376250Z Included Software: https://github.com/actions/runner-images/blob/ubuntu22/20231030.2/images/linux/Ubuntu2204-Readme.md 2023-11-06T18:14:12.8377879Z Image Release: https://github.com/actions/runner-images/releases/tag/ubuntu22%2F20231030.2 2023-11-06T18:14:12.8378559Z ##[endgroup] 2023-11-06T18:14:12.8378721Z ##[group]Runner Image Provisioner 2023-11-06T18:14:12.8379136Z 2.0.312.1 2023-11-06T18:14:12.8379289Z ##[endgroup]

Here is the debug logs logs_194.zip

surajshenoy commented 8 months ago

Hi @eoumenwa,

Thanks for providing the details about the issue.

We have gone through the logs, there seems to be an security analysis tool integrated in your Azure DevOps organization which is auto injecting couple of tasks in your pipeline.

The first task it injected in your pipeline is Security Supply Chain Analysis and the second one is Component Detection

These tasks will not come as a part of our lab template and we can not help you to skip or disable it. Please reach out to your project administrator or collection administrator.

But to provide you more information on the error, there is a policy in your organization which is restricting you from referring the images from external registries

Supportive log: Container security analysis found 1 violations. This repo has one or more docker files having references to images from external registries

eoumenwa commented 8 months ago

Thank you @surajshenoy,

I have seen the policy that may be responsible for injecting this task in my organization. I will toggle it off and try again. This issue can be closed