From 8e671d36e53aac0aade96c8aa3dbac14ab160cfd Mon Sep 17 00:00:00 2001
From: Michael Simons <msimons@microsoft.com>
Date: Tue, 26 Aug 2025 15:09:22 +0000
Subject: [PATCH] Specify custom cgIgnoreDirectories for source-build

---
 azure-pipelines/builds/ci.yml                        | 6 ------
 azure-pipelines/templates/stages/build.yml           | 4 ++++
 eng/common/templates-official/job/source-build.yml   | 4 ++++
 eng/common/templates-official/jobs/source-build.yml  | 5 +++++
 eng/common/templates-official/steps/source-build.yml | 8 +++++++-
 eng/common/templates/job/source-build.yml            | 4 ++++
 eng/common/templates/jobs/source-build.yml           | 5 +++++
 eng/common/templates/steps/source-build.yml          | 8 +++++++-
 8 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/azure-pipelines/builds/ci.yml b/azure-pipelines/builds/ci.yml
index 896fef904f..0f527e759b 100644
--- a/azure-pipelines/builds/ci.yml
+++ b/azure-pipelines/builds/ci.yml
@@ -25,12 +25,6 @@ extends:
   template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
   parameters:
     sdl:
-      componentgovernance:
-        # All of the SBRPs must be ignored because it is possible some of them are for vulnerable versions.
-        # Because they are reference only packages they are not vulnerable themselves.
-        ignoreDirectories: |
-          artifacts/source-build/self,
-          src/referencePackages
       sourceAnalysisPool:
         name: $(DncEngInternalBuildPool)
         image: 1es-windows-2022
diff --git a/azure-pipelines/templates/stages/build.yml b/azure-pipelines/templates/stages/build.yml
index fe914f089e..ce5019b4b6 100644
--- a/azure-pipelines/templates/stages/build.yml
+++ b/azure-pipelines/templates/stages/build.yml
@@ -16,6 +16,10 @@ stages:
           artifacts: true
           manifests: true
       enableSourceBuild: true
+      sourceBuildParameters:
+        cgIgnoreDirectories:
+        - src/referencePackages
+        - artifacts/source-build/self
   - template: /azure-pipelines/templates/jobs/generatescript-tests.yml
     parameters:
       imageOs: windows
diff --git a/eng/common/templates-official/job/source-build.yml b/eng/common/templates-official/job/source-build.yml
index 4217d6d8b1..7b9c58a90c 100644
--- a/eng/common/templates-official/job/source-build.yml
+++ b/eng/common/templates-official/job/source-build.yml
@@ -31,6 +31,9 @@ parameters:
   #   container and pool.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -73,3 +76,4 @@ jobs:
   - template: /eng/common/templates-official/steps/source-build.yml
     parameters:
       platform: ${{ parameters.platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
diff --git a/eng/common/templates-official/jobs/source-build.yml b/eng/common/templates-official/jobs/source-build.yml
index b9247be154..21a346fbd6 100644
--- a/eng/common/templates-official/jobs/source-build.yml
+++ b/eng/common/templates-official/jobs/source-build.yml
@@ -21,6 +21,9 @@ parameters:
   # one job runs on 'defaultManagedPlatform'.
   platforms: []
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal nuget and blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -44,6 +47,7 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}
 
 - ${{ if eq(length(parameters.platforms), 0) }}:
@@ -51,4 +55,5 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ parameters.defaultManagedPlatform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}
diff --git a/eng/common/templates-official/steps/source-build.yml b/eng/common/templates-official/steps/source-build.yml
index 829f17c34d..143f5c40d0 100644
--- a/eng/common/templates-official/steps/source-build.yml
+++ b/eng/common/templates-official/steps/source-build.yml
@@ -12,6 +12,9 @@ parameters:
   # the usage of the properties on this object is split between the 'job' and 'steps' templates.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
 steps:
 # Build. Keep it self-contained for simple reusability. (No source-build-specific job variables.)
 - script: |
@@ -126,4 +129,7 @@ steps:
 - task: ComponentGovernanceComponentDetection@0
   displayName: Component Detection (Exclude upstream cache)
   inputs:
-    ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if eq(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if gt(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: ${{ join(',', parameters.cgIgnoreDirectories) }}
diff --git a/eng/common/templates/job/source-build.yml b/eng/common/templates/job/source-build.yml
index c48f95d93d..97021335cf 100644
--- a/eng/common/templates/job/source-build.yml
+++ b/eng/common/templates/job/source-build.yml
@@ -31,6 +31,9 @@ parameters:
   #   container and pool.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -72,3 +75,4 @@ jobs:
   - template: /eng/common/templates/steps/source-build.yml
     parameters:
       platform: ${{ parameters.platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
diff --git a/eng/common/templates/jobs/source-build.yml b/eng/common/templates/jobs/source-build.yml
index 3ec9971081..4dde599add 100644
--- a/eng/common/templates/jobs/source-build.yml
+++ b/eng/common/templates/jobs/source-build.yml
@@ -21,6 +21,9 @@ parameters:
   # one job runs on 'defaultManagedPlatform'.
   platforms: []
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal nuget and blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -44,6 +47,7 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}
 
 - ${{ if eq(length(parameters.platforms), 0) }}:
@@ -51,4 +55,5 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ parameters.defaultManagedPlatform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}
diff --git a/eng/common/templates/steps/source-build.yml b/eng/common/templates/steps/source-build.yml
index 41bbb91573..700b5f97de 100644
--- a/eng/common/templates/steps/source-build.yml
+++ b/eng/common/templates/steps/source-build.yml
@@ -12,6 +12,9 @@ parameters:
   # the usage of the properties on this object is split between the 'job' and 'steps' templates.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
 steps:
 # Build. Keep it self-contained for simple reusability. (No source-build-specific job variables.)
 - script: |
@@ -126,4 +129,7 @@ steps:
 - task: ComponentGovernanceComponentDetection@0
   displayName: Component Detection (Exclude upstream cache)
   inputs:
-    ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if eq(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if gt(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: ${{ join(',', parameters.cgIgnoreDirectories) }}