Scope SBoM and Component Governance scans to non-C++ source directories#195
Open
Omotola wants to merge 2 commits into
Open
Scope SBoM and Component Governance scans to non-C++ source directories#195Omotola wants to merge 2 commits into
Omotola wants to merge 2 commits into
Conversation
Omotola
force-pushed
the
dev/oakeredolu/sbom-scope-archivedir
branch
from
3446a1c to
0a59019
Compare
The auto-injected `Generate SBoM Manifest` and `Component Governance` steps both run an internal `CppSdkDetector` that, whenever it sees any `*.c`/`*.cpp`/`*.cxx`/`*.vcxproj` file in its scan root, enumerates *every* MSVC toolset installed side-by-side on the build agent (`C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\*`) and registers each one as a CG component. Because the build agent carries multiple SxS toolsets that CMake does not actually link with, this produced false-positive CG alerts (e.g. MVS-2026-qx3q-rvv6 against `VC-Tools-MSVC 14.34.31933`, a toolset CMake never uses). Scope each scan to a sub-tree that contains no C/C++ source so the detector never triggers: * SBoM step (per arch job): set `templateContext.sdl.sbom.BuildComponentPath: $(ArchiveDir)` and the matching `outputs[].sbomBuildDropPath: $(ArchiveDir)`. The archive directory only holds the built CMake binaries and their resources. * Component Governance step (pipeline-wide): set the auto-injected task's `ComponentDetection.SourcePath` variable to `$(Build.SourcesDirectory)/VSInsertion`. That directory contains the legitimate CG inputs (cgmanifest.json, packages.config) but no C/C++/.vcxproj files. The legitimate detectors (`CgManifest`, `NuGetPackagesConfig`) still fire and the produced SBoM is unaffected. Verified across x64/arm64/x86: `CppSdk` reports `0 | 0` in both steps, the `Scanning MSVC toolsets` / `Found MSVC toolset` log lines are gone, and `TotalNumberOfPackages` dropped from 9 to the 3 real packages. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Pin CommitHash to the SBoM/CG scope-fix commit so CG records the correct registered state of the CMake repo for this branch. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Omotola
force-pushed
the
dev/oakeredolu/sbom-scope-archivedir
branch
from
0a59019 to
c93b28d
Compare
Omotola
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes false-positive CG alert MVS-2026-qx3q-rvv6 flagging
VC-Tools-MSVC 14.34.31933againstMicrosoftCMake_cmake-daemon. CMake does not link with that toolset; it was registered because the auto-injectedCppSdkDetectorenumerates every MSVC SxS install on the build agent whenever it spots any*.c/*.cpp/*.cxx/*.vcxprojin its scan root.Fix — point both scans at directories that contain no C/C++ source:
templateContext.sdl.sbom.BuildComponentPath: $(ArchiveDir)+ per-outputsbomBuildDropPath: $(ArchiveDir)Job_x64,Job_arm64,Job_x86ComponentDetection.SourcePath: $(Build.SourcesDirectory)/VSInsertionvariables:$(ArchiveDir)only holds the built CMake binaries.VSInsertion/holds the legitimate CG inputs (cgmanifest.json,Signing/packages.config) and zero C/C++/.vcxproj files, soCgManifestandNuGetPackagesConfigcontinue to fire whileCppSdkreports0 | 0.Job_Finalis unchanged (itsSymbolsoutput already scopessbomBuildDropPath).Verified on build 14278416 across x64/arm64/x86:
BuildComponentPath = D:\a\_work\1\a\archive,CppSdk (Beta) = 0 | 0,TotalNumberOfPackages = 3(was 9 — 6 false-positive MSVC toolsets dropped).--SourceDirectory D:\a\_work\1\s\VSInsertion,CppSdk = 0 | 0.Scanning MSVC toolsets…/Found MSVC toolset…lines in any of the 6 logs.CgManifest = 1 | 1andNuGetPackagesConfig = 1 | 1preserved in both steps.Files changed (15 net lines):
VSInsertion/Pipelines/build.ymlVSInsertion/Packaging/cgmanifest.json(CommitHash bumped to fix commit)Work item: AB#2992623
CG alert: MVS-2026-qx3q-rvv6 (alertId 13858911, repo id 113867)