Skip to content

CG Alerts in 8.0/9.0 for vulnerable SBRP packages #1433

New issue
New issue
Closed
Closed
CG Alerts in 8.0/9.0 for vulnerable SBRP packages#1433
Assignees
MichaelSimons
Labels
ops-monitorIssues created/handled by the source build monitor roleuntriagedNeeds to be triaged
@MichaelSimons

Description

@MichaelSimons
MichaelSimons
opened on Oct 20, 2025

CG alerts started appearing again in 8.0/9.0 for vulnerable SBRP packages. The vulnerable packages come from the Arcade SB leg.

It appears that the changes made in dotnet/arcade@6e78cc9 to address these types of issues are no longer sufficient. This CG step works fine but there is another CG step running right after this w/o the ignoreDirectories. IIRC the first run should set a variable that indicates CG ran.

Metadata

Metadata

Assignees

Labels

ops-monitorIssues created/handled by the source build monitor roleuntriagedNeeds to be triaged

Type

No type

Projects

.NET Source Build

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions