Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Resolve the Component Governance issue in the dotnet-helix-machines repository

See original GitHub issue
  • This issue is blocking
  • This issue is causing unreasonable pain

The issue is blocking: and any PR to the dotnet-helix-machines repository.

Component Governance Component Detection:

Release Note Category

  • Feature changes/additions
  • Bug fixes
  • Internal Infrastructure Improvements

Release Note Description

Increased the installed Python cryptography and pyopenssl versions on most build and test agents to 41.0.1 and 23.2.0, respectively. Due to restrictions in our infrastructure, this change will be reflected on as >=39.0.1 and >=23.0.0 rather than the exact versions installed.

The cryptography and pyopensll versions on all SLES 12 and Ubuntu 16.04 are significantly older due to platform issues we have not yet resolved. See dotnet/dnceng#293 and dotnet/dnceng#294 for details.

Issue Analytics

  • State:closed
  • Created 5 months ago
  • Comments:29 (29 by maintainers)

github_iconTop GitHub Comments

dougbucommented, Jun 26, 2023

After much experimentations and unblocking many problems (e.g., w/ FORCE_QUEUEs), this is finally waiting for rollout. dotnet/dnceng#293 and dotnet/dnceng#294 track work on the couple of images that still have an old cryptography version.

oleksandr-didykcommented, May 3, 2023

What are the available options to solve this problem then @oleksandr-didyk Oleksandr Didyk FTE ?

Initially we could:

  • upgrade cryptography on the affected machine - as for reasons mentioned here I would argue that this option is too costly. From comments in this issue + internal comms it seems @dougbu is doing some additional work in this path and can verify / argue against this conclusion
  • request and exception for the this specific package - as mentioned in internal comms and in-person meetings this is something that is possible and has occurred in the past (not sure if the past instances related to Python packages or not). A potential issue with this solution is that some other alert can pop-up in the future relating in some shape or form to cryptography and we might need to silence it as well
  • drop support for the OS in the first place - no OS means no issues. However, as mentioned in discussions, this would receive great pushback from the product teams since .NET 6 and .NET 7 should support the OS + the original issue is not with the product itself, rather with the infra used for building / testing. Dropping support for an OS just because of that doesn’t look plausible

As such from my perspective it looks like seeking an exception for the alert is the way to go.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Fix warning "Component Governance detected 5 security ...
Happens during component detection. Whole warning text: ##[warning]Component Governance detected 5 security related alerts at or above 'High' ...
Read more >
Component Governance still showing Alerts after issues ...
Developer Community​​ After updating dependencies using `npm audit` for an npm managed projects, alerts are still showing in the Governed  ...
Read more >
Overview - Azure DevOps Services REST API
Using the Governance service, you can register the usage of an existing or new open source component in a given governed repository.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found