From 544cf1c1a98f448372eb0581bee28df2faa09e16 Mon Sep 17 00:00:00 2001
From: Omotola Akeredolu <oakeredolu@microsoft.com>
Date: Wed, 3 Jun 2026 17:37:05 -0700
Subject: [PATCH 1/2] Scope SBoM and Component Governance scans to non-C++
 source directories

The auto-injected `Generate SBoM Manifest` and `Component Governance`
steps both run an internal `CppSdkDetector` that, whenever it sees any
`*.c`/`*.cpp`/`*.cxx`/`*.vcxproj` file in its scan root, enumerates
*every* MSVC toolset installed side-by-side on the build agent
(`C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Tools\MSVC\*`)
and registers each one as a CG component. Because the build agent
carries multiple SxS toolsets that CMake does not actually link with,
this produced false-positive CG alerts (e.g. MVS-2026-qx3q-rvv6 against
`VC-Tools-MSVC 14.34.31933`, a toolset CMake never uses).

Scope each scan to a sub-tree that contains no C/C++ source so the
detector never triggers:

* SBoM step (per arch job): set
  `templateContext.sdl.sbom.BuildComponentPath: $(ArchiveDir)` and the
  matching `outputs[].sbomBuildDropPath: $(ArchiveDir)`. The archive
  directory only holds the built CMake binaries and their resources.

* Component Governance step (pipeline-wide): set the auto-injected
  task's `ComponentDetection.SourcePath` variable to
  `$(Build.SourcesDirectory)/VSInsertion`. That directory contains the
  legitimate CG inputs (cgmanifest.json, packages.config) but no
  C/C++/.vcxproj files.

The legitimate detectors (`CgManifest`, `NuGetPackagesConfig`) still
fire and the produced SBoM is unaffected. Verified across x64/arm64/x86:
`CppSdk` reports `0 | 0` in both steps, the `Scanning MSVC toolsets` /
`Found MSVC toolset` log lines are gone, and `TotalNumberOfPackages`
dropped from 9 to the 3 real packages.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 VSInsertion/Pipelines/build.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/VSInsertion/Pipelines/build.yml b/VSInsertion/Pipelines/build.yml
index b590cd36e17..cbc4eba9cbc 100644
--- a/VSInsertion/Pipelines/build.yml
+++ b/VSInsertion/Pipelines/build.yml
@@ -50,6 +50,8 @@ variables:
   value: true
 - name: Codeql.Language
   value: cpp,csharp,javascript,powershell,python,ruby
+- name: ComponentDetection.SourcePath
+  value: $(Build.SourcesDirectory)/VSInsertion
 - name: DisableDockerDetector
   value: true
 - name: PackagingSolutionRoot
@@ -90,12 +92,16 @@ extends:
         pool:
           name: VSEngSS-MicroBuild2022-1ES
         templateContext:
+          sdl:
+            sbom:
+              BuildComponentPath: '$(ArchiveDir)'
           outputs:
           - output: pipelineArtifact
             displayName: 'Publish CMake x64 Artifact'
             targetPath: $(ArchiveDir)
             artifactName: CMakeX64
             codeSignValidationEnabled: false
+            sbomBuildDropPath: $(ArchiveDir)
         steps:
         - checkout: self
           clean: true
@@ -210,12 +216,16 @@ extends:
         pool:
           name: VSEngSS-MicroBuild2022-1ES
         templateContext:
+          sdl:
+            sbom:
+              BuildComponentPath: '$(ArchiveDir)'
           outputs:
           - output: pipelineArtifact
             displayName: 'Publish CMake ARM64 Artifact'
             targetPath: $(ArchiveDir)
             artifactName: CMakeArm64
             codeSignValidationEnabled: false
+            sbomBuildDropPath: $(ArchiveDir)
         steps:
         - checkout: self
           clean: true
@@ -275,12 +285,16 @@ extends:
         pool:
           name: VSEngSS-MicroBuild2022-1ES
         templateContext:
+          sdl:
+            sbom:
+              BuildComponentPath: '$(ArchiveDir)'
           outputs:
           - output: pipelineArtifact
             displayName: 'Publish CMake x86 Artifact'
             targetPath: $(ArchiveDir)
             artifactName: CMakeX86
             codeSignValidationEnabled: false
+            sbomBuildDropPath: $(ArchiveDir)
         steps:
         - checkout: self
           clean: true

From c93b28d3ca7e0199e9409bacbe45681a6e7da460 Mon Sep 17 00:00:00 2001
From: Omotola Akeredolu <oakeredolu@microsoft.com>
Date: Wed, 3 Jun 2026 17:37:06 -0700
Subject: [PATCH 2/2] update commit hash in cgmanifest

Pin CommitHash to the SBoM/CG scope-fix commit so CG records the
correct registered state of the CMake repo for this branch.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 VSInsertion/Packaging/cgmanifest.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VSInsertion/Packaging/cgmanifest.json b/VSInsertion/Packaging/cgmanifest.json
index 291b363dc3a..1cf10f0f413 100644
--- a/VSInsertion/Packaging/cgmanifest.json
+++ b/VSInsertion/Packaging/cgmanifest.json
@@ -5,7 +5,7 @@
                 "Type": "git",
                 "Git": {
                     "RepositoryUrl": "https://github.com/microsoft/CMake.git",
-                    "CommitHash": "4fe28dc1e760d8e63c5ce17b3b061333c2846a8a"
+                    "CommitHash": "544cf1c1a98f448372eb0581bee28df2faa09e16"
                 }
             }
         }