Delete cgmanifest.json when being installed via vcpkg, but also update SHAs#6789
Merged
Conversation
antkmsft
requested review from
a team,
EmmaZhu,
Jinming-Hu,
LarryOsterman,
RickWinter,
ahmadmsft,
anilba06,
axisc,
danieljurek,
gkostal,
hmlam,
microzchang,
sjkwak,
vinjiang and
weshaggard
as code owners
antkmsft
requested review from
KarishmaGhiya,
anannya03,
g2vinay,
joshfree,
maorleger,
pvaneck and
xiangyan99
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR addresses Component Governance scanning issues for customers using Azure SDK via vcpkg by removing cgmanifest.json files during vcpkg installation and updating OpenSSL/curl commit hashes to current versions.
- Adds file removal logic to delete cgmanifest.json files in all vcpkg portfile.cmake files
- Updates OpenSSL commit hashes from outdated versions to current SHA (0893a62353583343eb712adef6debdfbe597c227)
- Updates curl commit hash in azure-core cgmanifest.json to current version (cfbfb65047e85e6b08af65fe9cdbcf68e9ad496a)
Reviewed Changes
Copilot reviewed 27 out of 27 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| Multiple vcpkg/portfile.cmake files | Added file removal commands to delete cgmanifest.json files during vcpkg installation |
| Multiple cgmanifest.json files | Updated OpenSSL and curl commit hashes to current versions |
| .vscode/cspell.json | Added "cgmanifest" to spell check dictionary |
RickWinter
reviewed
Oct 14, 2025
RickWinter
approved these changes
Oct 14, 2025
LarryOsterman
approved these changes
Oct 14, 2025
Member
Author
|
I will merge this after microsoft/vcpkg#47812 gets merged. And I also have a commit for https://github.com/Azure/azure-sdk-vcpkg-betas ready to go, everything will get committed at the same time. |
Member
|
[like] Zhendong Chang reacted to your message:
…________________________________
From: Anton Kolesnyk ***@***.***>
Sent: Thursday, October 16, 2025 6:39:45 PM
To: Azure/azure-sdk-for-cpp ***@***.***>
Cc: Zhendong Chang ***@***.***>; Review requested ***@***.***>
Subject: Re: [Azure/azure-sdk-for-cpp] Delete cgmanifest.json when being installed via vcpkg, but also update SHAs (PR #6789)
[https://avatars.githubusercontent.com/u/41349689?s=20&v=4]antkmsft left a comment (Azure/azure-sdk-for-cpp#6789)<#6789 (comment)>
I will merge this after microsoft/vcpkg#47812<microsoft/vcpkg#47812> gets merged. And I also have a commit for https://github.com/Azure/azure-sdk-vcpkg-betas ready to go, everything will get committed at the same time.
—
Reply to this email directly, view it on GitHub<#6789 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2HLKSYJ2RQV5NGGWSUON633X7Q7DAVCNFSM6AAAAACJGA4NSSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTIMJSGMZDGOJXGI>.
You are receiving this because your review was requested.Message ID: ***@***.***>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #6788
If customer's Component Governance is misconfigured, it will scan their entire build directories for cgmanifest.json, and if it doesn't like something there, i.e. too old of a SHA for openssl, it will create alerts for such customers.
We currently have one internal customer affected by this.
Formally, it is not our problem - customers should exclude vcpkg/buildtrees/* from their CG scan, but why give them that problem in the first place, making them waste time and resources, a how many would be discouraged from using the Azure SDK.
Why this happens: when vcpkg installs our sources, it gets the copy of this entire repo - not only the sources that are necessary to build the SDK, but also cgmanifest.json, readmes, samples, engsys directory, tests, etc etc.
cgmanifest.json is only here for OUR CI's CG. It is not used and is not needed to build Azure SDK when vcpkg does it.
Plus, when customers install Azure SDK via vcpkg cgmanifest.json does not reflect the reality - the version of openssl they'll get depends on their environment and on vcpkg's SHA that they are using, we do not control that.
So the solution, to make customers' life easier, is to delete these files when we are installed via vcpkg, after the .zip has been downloaded and extracted, and before starting the build. We will patch vcpkg ports with this change, without making Azure SDK release.
But also this PR updates SHAs of openssl and curl in our cgmanifest.json files, they are based on the vcpkg SHA we are currently using in this repo. We might get flagged by CG in this repo soon too. The SHAs we currently have in these files are for really old versions of openssl and curl, from several years ago.