-
Notifications
You must be signed in to change notification settings - Fork 143
Delete cgmanifest.json when being installed via vcpkg, but also update SHAs #6789
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR addresses Component Governance scanning issues for customers using Azure SDK via vcpkg by removing cgmanifest.json files during vcpkg installation and updating OpenSSL/curl commit hashes to current versions.
- Adds file removal logic to delete cgmanifest.json files in all vcpkg portfile.cmake files
- Updates OpenSSL commit hashes from outdated versions to current SHA (0893a62353583343eb712adef6debdfbe597c227)
- Updates curl commit hash in azure-core cgmanifest.json to current version (cfbfb65047e85e6b08af65fe9cdbcf68e9ad496a)
Reviewed Changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Multiple vcpkg/portfile.cmake files | Added file removal commands to delete cgmanifest.json files during vcpkg installation |
| Multiple cgmanifest.json files | Updated OpenSSL and curl commit hashes to current versions |
| .vscode/cspell.json | Added "cgmanifest" to spell check dictionary |
|
I will merge this after microsoft/vcpkg#47812 gets merged. And I also have a commit for https://github.com/Azure/azure-sdk-vcpkg-betas ready to go, everything will get committed at the same time. |
|
[like] Zhendong Chang reacted to your message:
…________________________________
From: Anton Kolesnyk ***@***.***>
Sent: Thursday, October 16, 2025 6:39:45 PM
To: Azure/azure-sdk-for-cpp ***@***.***>
Cc: Zhendong Chang ***@***.***>; Review requested ***@***.***>
Subject: Re: [Azure/azure-sdk-for-cpp] Delete cgmanifest.json when being installed via vcpkg, but also update SHAs (PR #6789)
[https://avatars.githubusercontent.com/u/41349689?s=20&v=4]antkmsft left a comment (Azure/azure-sdk-for-cpp#6789)<#6789 (comment)>
I will merge this after microsoft/vcpkg#47812<microsoft/vcpkg#47812> gets merged. And I also have a commit for https://github.com/Azure/azure-sdk-vcpkg-betas ready to go, everything will get committed at the same time.
—
Reply to this email directly, view it on GitHub<#6789 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2HLKSYJ2RQV5NGGWSUON633X7Q7DAVCNFSM6AAAAACJGA4NSSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMJSGMZDGOJXGI>.
You are receiving this because your review was requested.Message ID: ***@***.***>
|
Fixes #6788
If customer's Component Governance is misconfigured, it will scan their entire build directories for cgmanifest.json, and if it doesn't like something there, i.e. too old of a SHA for openssl, it will create alerts for such customers.
We currently have one internal customer affected by this.
Formally, it is not our problem - customers should exclude vcpkg/buildtrees/* from their CG scan, but why give them that problem in the first place, making them waste time and resources, a how many would be discouraged from using the Azure SDK.
Why this happens: when vcpkg installs our sources, it gets the copy of this entire repo - not only the sources that are necessary to build the SDK, but also cgmanifest.json, readmes, samples, engsys directory, tests, etc etc.
cgmanifest.json is only here for OUR CI's CG. It is not used and is not needed to build Azure SDK when vcpkg does it.
Plus, when customers install Azure SDK via vcpkg cgmanifest.json does not reflect the reality - the version of openssl they'll get depends on their environment and on vcpkg's SHA that they are using, we do not control that.
So the solution, to make customers' life easier, is to delete these files when we are installed via vcpkg, after the .zip has been downloaded and extracted, and before starting the build. We will patch vcpkg ports with this change, without making Azure SDK release.
But also this PR updates SHAs of openssl and curl in our cgmanifest.json files, they are based on the vcpkg SHA we are currently using in this repo. We might get flagged by CG in this repo soon too. The SHAs we currently have in these files are for really old versions of openssl and curl, from several years ago.