Skip to content

Fix Component Governance warnings#17190

Merged
davidfowl merged 1 commit into
mainfrom
davidfowl/investigate-warnings
May 18, 2026
Merged

Fix Component Governance warnings#17190
davidfowl merged 1 commit into
mainfrom
davidfowl/investigate-warnings

Conversation

@davidfowl

@davidfowl davidfowl commented May 17, 2026

Copy link
Copy Markdown
Contributor

Description

AzDO pipeline 1602 was still reporting Component Governance and CFS warnings after the previous cleanup because a few build inputs were still pinned to flagged versions or resolving vulnerable transitives from upstream dependency metadata.

This change updates those inputs without adding new direct dependencies:

  • Bumps the repo-local .NET SDK/toolset from 10.0.201 to 10.0.300 so CG no longer reports the older SDK/runtime component.
  • Removes unused Swashbuckle from the JavaScript playground project, which removes the associated SwaggerUI component alert. The project does not call Swashbuckle APIs such as AddSwaggerGen, UseSwagger, UseSwaggerUI, or WithOpenApi; it only retains the template Swagger comment and the existing Microsoft.AspNetCore.OpenApi reference.
  • Pins the MongoDB.Driver compression transitives (SharpCompress and Snappier) through NuGet Central Package Management transitive pinning, with comments explaining why they are present.
  • Updates the Java playground dependency management to use the Netty BOM and Azure-compatible Reactor Netty 1.2 line, removes the stale Nimbus override, and removes explicit Maven Central repository declarations so CI relies on the configured feed/mirror policy.

Validation:

  • restore.cmd
  • build.cmd /p:SkipNativeBuild=true
  • dotnet build playground\AspireWithJavaScript\AspireJavaScript.MinimalApi\AspireJavaScript.MinimalApi.csproj --no-restore /p:SkipNativeBuild=true
  • dotnet list Aspire.slnx package --include-transitive confirmed SharpCompress 1.0.0 and Snappier 1.3.1 resolve.

Fixes # (issue)

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • Yes
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
        • No
    • No
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • Yes
        • No
    • No

Bump the repo-local .NET SDK to 10.0.300 and clean up dependency inputs that were still producing Component Governance warnings in AzDO pipeline 1602.

Pin MongoDB.Driver compression transitives to patched versions, remove unused Swashbuckle from the JavaScript playground, and adjust the Java playground dependency management to avoid stale Maven and Netty/Reactor pins.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings May 17, 2026 15:13
@github-actions

Copy link
Copy Markdown
Contributor

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17190

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17190"

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Addresses Component Governance alerts by bumping the local .NET SDK, removing an unused NuGet from a JavaScript playground project, adding central transitive pins for MongoDB.Driver's compression dependencies, and modernizing the Java playground POM (Netty BOM, Reactor Netty 1.2, dropped explicit Maven Central repos).

Changes:

  • Bump local SDK + bundled dotnet tools to 10.0.300 in global.json.
  • Add transitive CG pins (SharpCompress, Snappier) and drop the unused Swashbuckle.AspNetCore entry in Directory.Packages.props; remove the PackageReference from AspireJavaScript.MinimalApi.csproj.
  • In the Java playground POM: import netty-bom, move pinned versions to properties, upgrade Reactor Netty to 1.2.17, and remove explicit <repositories>/<pluginRepositories> blocks so CI uses the configured mirror policy.
Show a summary per file
File Description
global.json Updates SDK and bundled dotnet tool versions to 10.0.300.
Directory.Packages.props Removes Swashbuckle.AspNetCore; adds transitive CG pins for SharpCompress and Snappier.
playground/AspireWithJavaScript/AspireJavaScript.MinimalApi/AspireJavaScript.MinimalApi.csproj Drops the now-unused Swashbuckle.AspNetCore reference.
playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/pom.xml Switches to Netty BOM, bumps Reactor Netty to 1.2.17, removes explicit Maven Central repo declarations.

Copilot's findings

  • Files reviewed: 4/4 changed files
  • Comments generated: 0

@github-actions

Copy link
Copy Markdown
Contributor

CLI E2E Tests unknown — 86 passed, 0 failed, 1 unknown (commit 8a51b61)

View all recordings
Status Test Recording
AddPackageInteractiveWhileAppHostRunningDetached ▶️ View recording
AddPackageWhileAppHostRunningDetached ▶️ View recording
AgentCommands_AllHelpOutputs_AreCorrect ▶️ View recording
AgentInitCommand_DefaultSelection_InstallsSkillOnly ▶️ View recording
AgentInitCommand_MigratesDeprecatedConfig ▶️ View recording
AspireAddPackageVersionToDirectoryPackagesProps ▶️ View recording
AspireInitSingleFileAppHostRunsViaDotnetRunAppHost ▶️ View recording
AspireInitWithExistingAppHostDirRecreatesMissingNuGetConfigAndPreservesFiles ▶️ View recording
AspireInitWithSolutionFileGeneratesAppHostThatBuildsAgainstChannelHive ▶️ View recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps ▶️ View recording
AspireUpdateRemovesOrphanAppHostPackageVersionWhenSdkAlreadyCurrent ▶️ View recording
Banner_DisplayedOnFirstRun ▶️ View recording
Banner_DisplayedWithExplicitFlag ▶️ View recording
Banner_NotDisplayedWithNoLogoFlag ▶️ View recording
CertificatesClean_RemovesCertificates ▶️ View recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate ▶️ View recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate ▶️ View recording
ConfigSetGet_CreatesNestedJsonFormat ▶️ View recording
CreateAndRunAspireStarterProject ▶️ View recording
CreateAndRunAspireStarterProjectWithBundle ▶️ View recording
CreateAndRunEmptyAppHostProject ▶️ View recording
CreateAndRunJavaEmptyAppHostProject ▶️ View recording
CreateAndRunJsReactProject ▶️ View recording
CreateAndRunPythonReactProject ▶️ View recording
CreateAndRunTypeScriptEmptyAppHostProject ▶️ View recording
CreateAndRunTypeScriptStarterProject ▶️ View recording
CreateJavaAppHostWithViteApp ▶️ View recording
CreateTypeScriptAppHostWithViteApp_UsesConfiguredToolchain ▶️ View recording
DashboardRunWithOtelTracesReturnsNoTraces ▶️ View recording
DeployK8sBasicApiService ▶️ View recording
DeployK8sWithExternalHelmChart ▶️ View recording
DeployK8sWithGarnet ▶️ View recording
DeployK8sWithMongoDB ▶️ View recording
DeployK8sWithMySql ▶️ View recording
DeployK8sWithPostgres ▶️ View recording
DeployK8sWithRabbitMQ ▶️ View recording
DeployK8sWithRedis ▶️ View recording
DeployK8sWithSqlServer ▶️ View recording
DeployK8sWithValkey ▶️ View recording
DeployTypeScriptAppToKubernetes ▶️ View recording
DescribeCommandResolvesReplicaNames ▶️ View recording
DescribeCommandShowsRunningResources ▶️ View recording
DetachFormatJsonProducesValidJson ▶️ View recording
DetachFormatJsonProducesValidJsonWhenRestartingExistingInstance ▶️ View recording
DoListStepsShowsPipelineSteps ▶️ View recording
DocsCommand_RendersInteractiveMarkdownFromLocalSource ▶️ View recording
DoctorCommand_DetectsDeprecatedAgentConfig ▶️ View recording
DoctorCommand_TypeScriptAppHostReportsMissingConfiguredToolchain ▶️ View recording
DoctorCommand_WithSslCertDir_ShowsTrusted ▶️ View recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted ▶️ View recording
GlobalMigration_HandlesCommentsAndTrailingCommas ▶️ View recording
GlobalMigration_HandlesMalformedLegacyJson ▶️ View recording
GlobalMigration_PreservesAllValueTypes ▶️ View recording
GlobalMigration_SkipsWhenNewConfigExists ▶️ View recording
GlobalSettings_MigratedFromLegacyFormat ▶️ View recording
InitTypeScriptAppHost_AugmentsExistingViteRepoAtRoot ▶️ View recording
InteractiveCSharpInitCreatesExpectedFiles ▶️ View recording
InvalidAppHostPathWithComments_IsHealedOnRun ▶️ View recording
LatestCliCanStartStableChannelAppHost ▶️ View recording
LatestCliCanStartStableChannelTypeScriptAppHost ▶️ View recording
LegacySettingsMigration_AdjustsRelativeAppHostPath ▶️ View recording
LogLevelTrace_ProducesTraceEntriesInCliLogFile ▶️ View recording
LogsCommandShowsResourceLogs ▶️ View recording
OtelLogsReturnsStructuredLogsFromStarterApp ▶️ View recording
OtelLogsReturnsStructuredLogsFromStarterAppIsolated ▶️ View recording
PsCommandListsRunningAppHost ▶️ View recording
PsFormatJsonOutputsOnlyJsonToStdout ▶️ View recording
PublishWithConfigureEnvFileUpdatesEnvOutput ▶️ View recording
PublishWithDockerComposeServiceCallbackSucceeds ▶️ View recording
PublishWithoutOutputPathUsesAppHostDirectoryDefault ▶️ View recording
ResourceCommand_FailedExecution_DisplaysAppHostLogPathAndLogContainsEntries ▶️ View recording
ResourceCommand_FailsWhenInteractionServiceIsRequired ▶️ View recording
ResourceCommand_SetAndDeleteParameterUpdatesDescribeOutput ▶️ View recording
RestoreGeneratesSdkFiles ▶️ View recording
RestoreGeneratesSdkFiles_WithConfiguredToolchain ▶️ View recording
RestoreRefreshesGeneratedSdkAfterAddingIntegration ▶️ View recording
RestoreSupportsConfigOnlyHelperPackageAndCrossPackageTypes ▶️ View recording
RunFromParentDirectory_UsesExistingConfigNearAppHost ▶️ View recording
SecretCrudOnDotNetAppHost ▶️ View recording
SecretCrudOnTypeScriptAppHost ▶️ View recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels ▶️ View recording
StartAndWaitForTypeScriptSqlServerAppHostWithNativeAssets ▶️ View recording
StopAllAppHostsFromAppHostDirectory ▶️ View recording
StopNonInteractiveSingleAppHost ▶️ View recording
StopWithNoRunningAppHostExitsSuccessfully ▶️ View recording
UnAwaitedChainsCompileWithAutoResolvePromises ▶️ View recording
UpdateProjectChannelToStable_TypeScript_PicksUpStablePackages ▶️ View recording

📹 Recordings uploaded automatically from CI run #25994596730

@davidfowl davidfowl merged commit 88565bf into main May 18, 2026
299 checks passed
@github-actions github-actions Bot added this to the 13.4 milestone May 18, 2026
@aspire-repo-bot

Copy link
Copy Markdown
Contributor

✅ No documentation update needed.

docs_required → already documented by name (both triggered signals are false positives; no user-facing surface was introduced)

Triggered signals (2): pr_body_has_cli_flag_mention, pr_body_has_security_marker

Signal analysis:

  • pr_body_has_cli_flag_mention — evidence hint: `/p:SkipNativeBuild=true` (from the PR's validation steps section). This is an MSBuild build property used in a dotnet build command, not a new user-facing CLI option flag (e.g., --search, --output). The PR introduces no new user-facing CLI flags. There is no identifier to search for or document in microsoft/aspire.dev.

  • pr_body_has_security_marker — evidence hint: "vulnerable transitives from upstream dependency metadata". This refers to internal Component Governance (CG) compliance — the AzDO pipeline's automated scan for flagged transitive dependency versions. No CVE, GHSA, or user-facing security advisory was issued. The fix (pinning SharpCompress 1.0.0, Snappier 1.3.1, bumping SDK to 10.0.300, updating Java Netty BOM) is purely internal build maintenance. There is no security advisory to document.

Supporting evidence: Advisory signal only_test_or_build_changes = true — all 4 changed files are in playground/ (playground/AspireWithJavaScript/AspireJavaScript.MinimalApi/AspireJavaScript.MinimalApi.csproj, playground/PostgresEndToEnd/PostgresEndToEnd.JavaService/pom.xml) and top-level build config (Directory.Packages.props, global.json). No src/ files were modified.

@davidfowl davidfowl mentioned this pull request May 18, 2026
14 tasks
nellshamrell pushed a commit to nellshamrell/aspire that referenced this pull request May 18, 2026
Bump the repo-local .NET SDK to 10.0.300 and clean up dependency inputs that were still producing Component Governance warnings in AzDO pipeline 1602.

Pin MongoDB.Driver compression transitives to patched versions, remove unused Swashbuckle from the JavaScript playground, and adjust the Java playground dependency management to avoid stale Maven and Netty/Reactor pins.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
davidfowl added a commit that referenced this pull request May 18, 2026
Revert the SDK and tools dotnet version in global.json back to 10.0.201 to unblock Azure DevOps pipeline 1602 while preserving the other dependency updates from PR #17190.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot locked and limited conversation to collaborators Jun 17, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants