Update testing analyzers #59516
Update testing analyzers #59516
Conversation
dotnet-issue-labeler
bot
added
the
area-infrastructure
sebastienros
force-pushed
the
sebros/updateanalyzers
branch
from
9b1d1db to
4115eca
Compare
| @@ -18,6 +18,8 @@ | |||
| <UsagePattern IdentityGlob="System.Composition.Runtime/*8.0.0*" /> | |||
| <UsagePattern IdentityGlob="System.Composition.TypedParts/*8.0.0*" /> | |||
| <UsagePattern IdentityGlob="System.Security.Cryptography.Pkcs/5.0.*" /> | |||
| <UsagePattern IdentityGlob="System.Security.Cryptography.Pkcs/6.0.*" /> | |||
There was a problem hiding this comment.
@wtgodbe Is that expected to have two versions, or should I find the source and force a single one?
There was a problem hiding this comment.
There should be a log in the source build artifacts that tells us where these 2 versions are coming from - if it's not obvious from that how to remove one of the versions, I'd ask @ellahathaway
There was a problem hiding this comment.
I pulled the prebuilt usage report, which does not give details on where System.Security.Cryptography.Pkcs 5.0.0 and 6.0.0 are being pulled from. Given this, it's likely they're transitive dependencies of some other tool or package being used during the build. This unfortunately makes it a bit more difficult to tell whether or not we should allow these to be in the baseline.
I suggest copying these changes to the VMR & opening a PR there. That'll automatically run a full source-build leg (takes ~1hr) and will tell us if these prebuilts are really a problem or if they can just be added to the baseline as you've already done.
There was a problem hiding this comment.
Created dotnet/dotnet#125
|
Now waiting for source-build code owner's approval? |
The current versions are old and the newer ones has updated dependencies without vulnerabilities (System.Formats.Asn1)