[VMR] Component Governance errors tracking

[premun]

NuGet problems

⚠️ NuGet Feed Configuration

• fsharp/tests/FSharp.Build.UnitTests/NuGet.Config
• sdk/src/Assets/NonRestoredTestProjects/AppThrowingException/AppDependingOnOtherAsTool/NuGet.Config
• sdk/src/Assets/TestProjects/TrimmedAppWithReferences/App/nuget.config
• sdk/src/Assets/TestProjects/PackageValidationTestProject/NuGet.Config

⚠️ NuGet security analysis - Potential upstreams in a feed

Seems like there might be a feed it cannot access so it cannot decide whether it has upstreams (and potentially leads to nuget.org)

• nuget-client/Nuget.Config

Plus there are more but once we sync the removal of FileSystem and Common submodules, they will go away.

⚠️ CFS0013 - Package source has value that is not an Azure Artifacts feed

Usually, these usually have nuget.org inside. I am not sure how this ties to #3170

• format/tests/projects/for_analyzer_formatter/analyzer_project/NuGet.config
• nuget-client/test/EndToEnd/NuGet.Config
• sdk/template_feed/Microsoft.DotNet.Common.ItemTemplates/content/Nuget/nuget.config
  I think this one needs an exemption as it's a template for new projects
• source-build-externals/src/application-insights/BASE/NuGet.config
• source-build-externals/src/application-insights/NETCORE/NuGet.config
• source-build-externals/src/application-insights/NuGet.config
• source-build-externals/src/newtonsoft-json/Src/NuGet.Config

⚠️ CFS0011 - C# project(s) are missing feed configuration

These all seem to be our files from the VMR bootstrap that don't resolve to no root NuGet.config file.

• eng/bootstrap/buildBootstrapPreviouslySB.csproj
  Missing root NuGet.config for some SB-infra projects #3230
• test/Microsoft.DotNet.SourceBuild.SmokeTests/Microsoft.DotNet.SourceBuild.SmokeTests.csproj
  Missing root NuGet.config for some SB-infra projects #3230
• tools-local/tasks/Microsoft.DotNet.SourceBuild.Tasks.XPlat/Microsoft.DotNet.SourceBuild.Tasks.XPlat.csproj
  Missing root NuGet.config for some SB-infra projects #3230
• tools-local/tasks/SourceBuild.MSBuildSdkResolver/SourceBuild.MSBuildSdkResolver.csproj
  Missing root NuGet.config for some SB-infra projects #3230

NPM problems

⚠️ CFS0001 - Node.js project(s) are missing feed configuration

Missing .npmrc files

• aspnetcore/src/submodules/MessagePack-CSharp/src/MessagePack.UnityClient/Assets/RuntimeUnitTestToolkit/package.json
  Issue to be created, I reached out to dougbu
• aspnetcore/src/submodules/MessagePack-CSharp/src/MessagePack.UnityClient/Assets/Scripts/MessagePack/package.json
  Issue to be created, I reached out to dougbu
• aspnetcore/src/submodules/spa-templates/src/content/Angular-CSharp/ClientApp/package.json
  Issue to be created, I reached out to dougbu
• aspnetcore/src/submodules/spa-templates/src/content/React-CSharp/ClientApp/package.json
  Issue to be created, I reached out to dougbu

[dotnet-issue-labeler]

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[premun]

Just for book-keeping, the variables used to suppress the scans are following:

• cfsNPMWarnLevel: none
• cfsNugetWarnLevel: none
• myGetWarnLevel: none
• NuGetSecurityAnalysisWarningLevel: none

Present in following pipelines:

• https://dev.azure.com/dnceng/internal/_build/results?buildId=2065606&view=results
• https://dev.azure.com/dnceng/internal/_build?definitionId=1214

[premun]

So, we've got the Source Build NuGet.config without a root config fixed.
We also fixed the source-build-externals ones by cloaking them from the VMR.

I have also dismissed all of the multi-feed AzDO alerts based on https://dev.azure.com/dnceng/internal/_wiki/wikis/DNCEng%20Services%20Wiki/843/SingleFeedFAQ

[premun]

@brettfo we are seeing an alert in the VMR for this file: fsharp/tests/FSharp.Build.UnitTests/NuGet.Config which is synchronized from the fsharp repo.

I checked the history of the dotnet-fsharp repo and the alert was possibly suppressed wrongly. I can see a number of suppressed alerts in CG due to the multi-feed configuration which CG wrongly detects for our repos where we reference several public AzDO feeds with no upstreams (https://dev.azure.com/dnceng/internal/_wiki/wikis/DNCEng%20Services%20Wiki/843/SingleFeedFAQ). These suppressions are in place and the right step.
However, this linked one I think is not of the same kind. This one is probably missing the <clear /> statement so it's a valid alert and should be resolved differently. I propose reinstating the alert and fixing the NuGet.config file which will in turn fix this in the VMR.

[premun]

@brettfo we are seeing an alert in the VMR for this file: fsharp/tests/FSharp.Build.UnitTests/NuGet.Config which is synchronized from the fsharp repo.

Ah, so it seems that we are probably fine to dismiss this as the root NuGet.config should be enough to functionally match copying the required feeds into the offending config.

[premun]

All critical and high alerts have been resolved so I am closing this now.

I have also set up a weekly email that I get with a report of CG alerts for the VMR.