Specify custom ignore directories for source-build

azure-pipelines/builds/ci.yml

@@ -25,12 +25,6 @@ extends:
   template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
   parameters:
     sdl:
-      componentgovernance:
-        # All of the SBRPs must be ignored because it is possible some of them are for vulnerable versions.
-        # Because they are reference only packages they are not vulnerable themselves.
-        ignoreDirectories: |
-          artifacts/source-build/self,
-          src/referencePackages
       sourceAnalysisPool:
         name: $(DncEngInternalBuildPool)
         image: 1es-windows-2022

azure-pipelines/templates/stages/build.yml

@@ -16,6 +16,10 @@ stages:
           artifacts: true
           manifests: true
       enableSourceBuild: true
+      sourceBuildParameters:
+        cgIgnoreDirectories:
+        - src/referencePackages
+        - artifacts/source-build/self
   - template: /azure-pipelines/templates/jobs/generatescript-tests.yml
     parameters:
       imageOs: windows

eng/common/templates-official/job/source-build.yml

@@ -31,6 +31,9 @@ parameters:
   #   container and pool.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -73,3 +76,4 @@ jobs:
   - template: /eng/common/templates-official/steps/source-build.yml
     parameters:
       platform: ${{ parameters.platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}

eng/common/templates-official/jobs/source-build.yml

@@ -21,6 +21,9 @@ parameters:
   # one job runs on 'defaultManagedPlatform'.
   platforms: []
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal nuget and blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -44,11 +47,13 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}
 
 - ${{ if eq(length(parameters.platforms), 0) }}:
   - template: /eng/common/templates-official/job/source-build.yml
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ parameters.defaultManagedPlatform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}

eng/common/templates-official/steps/source-build.yml

@@ -12,6 +12,9 @@ parameters:
   # the usage of the properties on this object is split between the 'job' and 'steps' templates.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
 steps:
 # Build. Keep it self-contained for simple reusability. (No source-build-specific job variables.)
 - script: |
@@ -126,4 +129,7 @@ steps:
 - task: ComponentGovernanceComponentDetection@0
   displayName: Component Detection (Exclude upstream cache)
   inputs:
-    ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if eq(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if gt(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: ${{ join(',', parameters.cgIgnoreDirectories) }}

eng/common/templates/job/source-build.yml

@@ -31,6 +31,9 @@ parameters:
   #   container and pool.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -72,3 +75,4 @@ jobs:
   - template: /eng/common/templates/steps/source-build.yml
     parameters:
       platform: ${{ parameters.platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}

eng/common/templates/jobs/source-build.yml

@@ -21,6 +21,9 @@ parameters:
   # one job runs on 'defaultManagedPlatform'.
   platforms: []
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
   # If set to true and running on a non-public project,
   # Internal nuget and blob storage locations will be enabled.
   # This is not enabled by default because many repositories do not need internal sources
@@ -44,11 +47,13 @@ jobs:
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ platform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}
 
 - ${{ if eq(length(parameters.platforms), 0) }}:
   - template: /eng/common/templates/job/source-build.yml
     parameters:
       jobNamePrefix: ${{ parameters.jobNamePrefix }}
       platform: ${{ parameters.defaultManagedPlatform }}
+      cgIgnoreDirectories: ${{ parameters.cgIgnoreDirectories }}
       enableInternalSources: ${{ parameters.enableInternalSources }}

eng/common/templates/steps/source-build.yml

@@ -12,6 +12,9 @@ parameters:
   # the usage of the properties on this object is split between the 'job' and 'steps' templates.
   platform: {}
 
+  # Optional list of directories to ignore for component governance scans.
+  cgIgnoreDirectories: []
+
 steps:
 # Build. Keep it self-contained for simple reusability. (No source-build-specific job variables.)
 - script: |
@@ -126,4 +129,7 @@ steps:
 - task: ComponentGovernanceComponentDetection@0
   displayName: Component Detection (Exclude upstream cache)
   inputs:
-    ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if eq(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: '$(Build.SourcesDirectory)/artifacts/source-build/self/src/artifacts/obj/source-built-upstream-cache'
+    ${{ if gt(length(parameters.cgIgnoreDirectories), 0) }}:
+      ignoreDirectories: ${{ join(',', parameters.cgIgnoreDirectories) }}