Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Component Governance detected 1 security related alerts at or above "High" severity #4471

Closed
Winniexu01 opened this issue Jun 19, 2024 · 1 comment · Fixed by dotnet/runtime#103639
Closed

Component Governance detected 1 security related alerts at or above "High" severity #4471

Winniexu01 opened this issue Jun 19, 2024 · 1 comment · Fixed by dotnet/runtime#103639
Labels
area-upstream-fix Needs a change in a contributing repo ops-monitor Issues created/handled by the source build monitor role

Comments

@Winniexu01
Copy link
Member

Synchronization build in VMR main: https://dev.azure.com/dnceng/internal/_build/results?buildId=2477137&view=logs&j=f94b1352-8074-534d-f024-dae8a910f9a5&t=45076ec1-5101-5328-cb42-66bd28c759bf

1 security alert at or above "High" severity:

_________________________________________________________________________________________________________________________________________________
|Security Alerts                                                                                                                                |
|_______________________________________________________________________________________________________________________________________________|
|Alert title                             |Affected component                      |Severity                      |Due date                      |
|________________________________________|________________________________________|______________________________|______________________________|
|CVE-2024-37890                          |ws 8.4.0                                |High                          |2024-09-16T07:54:15.9792710Z  |
|________________________________________|________________________________________|______________________________|______________________________|

##[warning]Component Governance detected 1 security related alerts at or above "High" severity. Microsoft's Open Source policy requires that all high and critical security vulnerabilities found by this task be addressed by upgrading vulnerable components. Vulnerabilities in indirect dependencies should be addressed by upgrading the root dependency.
To change the severity threshold or build result, either dismiss the alerts in Component Governance or update the settings of this build task.
Please see our support page at https://aka.ms/cg-support to get help with questions related to Component Governance.
##[warning]Component Governance detected 1 security alert(s) at or above "High" severity that need to be resolved. On their due date these alerts will break the build.
Took 1.446064 seconds to query alerts.
Component Governance Alerts:            https://dev.azure.com/dnceng/7ea9116e-9fac-403d-b258-b31fcf1bb293/_componentGovernance/102295?_a=alerts&typeId=21581780
Component Governance Detection History: https://dev.azure.com/dnceng/7ea9116e-9fac-403d-b258-b31fcf1bb293/_componentGovernance/102295?_a=history&typeId=21581780
@dotnet-issue-labeler dotnet-issue-labeler bot added area-build Improvements in source-build's own build process untriaged labels Jun 19, 2024
@Winniexu01 Winniexu01 added the ops-monitor Issues created/handled by the source build monitor role label Jun 19, 2024
@ViktorHofer
Copy link
Member

I think this will be fixed with dotnet/runtime#103639

@pavelsavara pavelsavara mentioned this issue Jun 20, 2024
Merged
@MichaelSimons MichaelSimons moved this from Backlog to Blocked in .NET Source Build Jun 20, 2024
@MichaelSimons MichaelSimons added area-upstream-fix Needs a change in a contributing repo and removed area-build Improvements in source-build's own build process untriaged labels Jun 20, 2024
@github-project-automation github-project-automation bot moved this from Blocked to Done in .NET Source Build Jun 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-upstream-fix Needs a change in a contributing repo ops-monitor Issues created/handled by the source build monitor role
Projects
.NET Source Build
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

bump npm dependencies and lock file format pavelsavara/runtime
3 participants
@ViktorHofer @MichaelSimons @Winniexu01