Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[17.11] Fix component governance alerts #10520

Merged
merged 9 commits into from
Sep 6, 2024
Merged

[17.11] Fix component governance alerts #10520

merged 9 commits into from
Sep 6, 2024

Conversation

MichalPavlik
Copy link
Member

@MichalPavlik MichalPavlik commented Aug 14, 2024
edited
Loading

Fixes CVE-2024-38081, CVE-2024-38095

Context

Some of our dependencies contains vulnerabilities.

Changes Made

I backported changes we already have in main branch - updated Microsoft.IO.Redist package version and pinned System.Formats.Asn1 package version.

Testing

Existing unit test.

Notes

VS 17.11 still uses Microsoft.IO.Redist version 6.0.0, so we need to stick with this version.

@MichalPavlik MichalPavlik requested a review from a team as a code owner August 14, 2024 12:12
@MichalPavlik MichalPavlik changed the base branch from main to vs17.11 August 14, 2024 12:20
@JanKrivanek
Copy link
Member

FYI @marcpopMSFT

rainersigwald
rainersigwald reviewed Aug 14, 2024
View reviewed changes
eng/Versions.props Outdated Show resolved Hide resolved
src/MSBuild/app.amd64.config Outdated Show resolved Hide resolved
@MichalPavlik MichalPavlik mentioned this pull request Aug 14, 2024
Closed
14 tasks
@MichalPavlik MichalPavlik mentioned this pull request Sep 2, 2024
Closed
7 tasks
maridematte
maridematte requested changes Sep 3, 2024
View reviewed changes
src/MSBuild/app.amd64.config Show resolved Hide resolved
src/MSBuild/app.config Show resolved Hide resolved
@MichalPavlik MichalPavlik merged commit bcaf466 into vs17.11 Sep 6, 2024
10 checks passed
@MichalPavlik MichalPavlik deleted the dev/mipavlik/resolve-cg-alerts-17-11 branch September 6, 2024 07:50
@MichalPavlik MichalPavlik mentioned this pull request Sep 6, 2024
Merged
@MichalPavlik
Copy link
Member Author

/backport to 17.10

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to 17.10: https://github.com/dotnet/msbuild/actions/runs/10812203541

@MichalPavlik
Copy link
Member Author

/backport to vs17.10

@github-actions GitHub Actions
Copy link
Contributor

@MichalPavlik an error occurred while backporting to 17.10, please check the run log for details!

Error: @MichalPavlik is not a repo collaborator, backporting is not allowed. If you're a collaborator please make sure your dotnet team membership visibility is set to Public on https://github.com/orgs/dotnet/people?query=MichalPavlik

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to vs17.10: https://github.com/dotnet/msbuild/actions/runs/10812210758

@github-actions GitHub Actions
Copy link
Contributor

@MichalPavlik an error occurred while backporting to vs17.10, please check the run log for details!

Error: @MichalPavlik is not a repo collaborator, backporting is not allowed. If you're a collaborator please make sure your dotnet team membership visibility is set to Public on https://github.com/orgs/dotnet/people?query=MichalPavlik

@MichalPavlik
Copy link
Member Author

/backport to vs17.10

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to vs17.10: https://github.com/dotnet/msbuild/actions/runs/10812234827

@github-actions GitHub Actions
Copy link
Contributor

@MichalPavlik backporting to vs17.10 failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: Resolves CG alerts
Using index info to reconstruct a base tree...
M	eng/SourceBuildPrebuiltBaseline.xml
M	eng/Version.Details.xml
M	eng/Versions.props
M	src/MSBuild/app.amd64.config
M	src/MSBuild/app.config
Falling back to patching base and 3-way merge...
Auto-merging src/MSBuild/app.config
Auto-merging src/MSBuild/app.amd64.config
Auto-merging eng/Versions.props
CONFLICT (content): Merge conflict in eng/Versions.props
Auto-merging eng/Version.Details.xml
Auto-merging eng/SourceBuildPrebuiltBaseline.xml
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config advice.mergeConflict false"
Patch failed at 0001 Resolves CG alerts
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!

@github-actions GitHub Actions
Copy link
Contributor

@MichalPavlik an error occurred while backporting to vs17.10, please check the run log for details!

Error: git am failed, most likely due to a merge conflict.

JanKrivanek pushed a commit that referenced this pull request Dec 10, 2024
@github-actions @dotnet-bot
@JaynieBai @MichalPavlik @rainersigwald @dotnet-maestro @maridematte @YuliiaKovalova @GangWang01 @surayya-MS @JanProvaznik
[automated] Merge branch 'vs17.11' => 'vs17.12' (#11072)
ed8c6ae 
* Localized file check-in by OneLocBuild Task: Build definition ID 9434: Build ID 10000931 (#10267)

* Localized file check-in by OneLocBuild Task: Build definition ID 9434: Build ID 9752299
* Increase VersionPrefix version

---------

Co-authored-by: Jenny Bai <v-jennybai@microsoft.com>

* [17.11] Fix component governance alerts (#10520)

* Resolves CG alerts
---------

Co-authored-by: Rainer Sigwald <raines@microsoft.com>

* Assembly redirect fix (#10624)

* Fixing the assembly redirect

* [vs17.11] Update dependencies from dotnet/arcade (#10654)

* Update dependencies from https://github.com/dotnet/arcade build 20240910.4

Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions
 From Version 8.0.0-beta.24311.3 -> To Version 8.0.0-beta.24460.4

* version bump

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: Mariana Garces Dematte <magarces@microsoft.com>

* Upgrade system.text.json to 8.0.4 (#10650)

Will address dotnet/sdk#43339 when deployed in VS.

---------

Co-authored-by: Rainer Sigwald <raines@microsoft.com>

* disable loc (#10693)

Part of: #10665

Disabling localization for 17.11.

* [vs17.11] Update dependencies from dotnet/arcade (#10691)

* [vs17.11] Update dependencies from dotnet/arcade (#10793)

* Update dependencies from https://github.com/dotnet/arcade build 20241008.1

Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions
 From Version 8.0.0-beta.24475.3 -> To Version 8.0.0-beta.24508.1

* bump the version

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: YuliiaKovalova <95473390+YuliiaKovalova@users.noreply.github.com>

* CG alert cleaning on VS17.11 (#10723)

* Bump Microsoft.IO.Redist to 6.0.1
* Bump version prefix to 17.11.11

* [vs17.11] Update dependencies from dotnet/arcade (#10832)

* [vs17.11] Update dependencies from dotnet/arcade (#10895)

* [vs17.11] Update dependencies from dotnet/arcade (#10990)

* Update dependencies from https://github.com/dotnet/arcade build 20241112.12

Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions
 From Version 8.0.0-beta.24525.2 -> To Version 8.0.0-beta.24562.12

* Update VersionPrefix to 17.11.16

---------

Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: Gang Wang <v-gaw@microsoft.com>

* Update dependencies from https://github.com/dotnet/arcade build 20241120.5

Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions
 From Version 8.0.0-beta.24562.12 -> To Version 8.0.0-beta.24570.5

* Update VersionPrefix to 17.11.17

* [vs17.11] Run tests even if version is not bumped (#11060)

Backport of #11042 to vs17.11

* [vs17.11] Backport VS insertion pipeline YMLs (#11064)

Co-authored-by: Jan Provaznik <janprovaznik@microsoft.com>

* Eliminate the unnecessary change from vs17.11

* Remove duplicate version setting for System.Formats.Asn1

* Bump up version prefix to 17.12.18

---------

Co-authored-by: dotnet bot <dotnet-bot@dotnetfoundation.org>
Co-authored-by: Jenny Bai <v-jennybai@microsoft.com>
Co-authored-by: MichalPavlik <michalpavlik@outlook.com>
Co-authored-by: Rainer Sigwald <raines@microsoft.com>
Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com>
Co-authored-by: Mariana Garces Dematte <magarces@microsoft.com>
Co-authored-by: YuliiaKovalova <95473390+YuliiaKovalova@users.noreply.github.com>
Co-authored-by: Gang Wang <v-gaw@microsoft.com>
Co-authored-by: Surayya Huseyn Zada <114938397+surayya-MS@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Jan Provaznik <janprovaznik@microsoft.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maridematte maridematte maridematte approved these changes

@JanKrivanek JanKrivanek JanKrivanek approved these changes

@rainersigwald rainersigwald Awaiting requested review from rainersigwald

Assignees
No one assigned
Labels
Servicing-approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@MichalPavlik @JanKrivanek @rainersigwald @maridematte @rbhanda