arcade-services icon indicating copy to clipboard operation
arcade-services copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Address detected binaries in the VMR

Open premun opened this issue 2 years ago • 6 comments

Context

The binary scan now shows this:

src/aspnetcore/src/SignalR/clients/java/signalr/gradle/wrapper/gradle-wrapper.jar
src/roslyn/src/ExpressionEvaluator/Core/Source/ExpressionCompiler/Resources/WindowsProxy.winmd
src/runtime/src/libraries/System.Speech/src/upstable_chs.upsmap
src/runtime/src/libraries/System.Speech/src/upstable_cht.upsmap
src/runtime/src/libraries/System.Speech/src/upstable_deu.upsmap
src/runtime/src/libraries/System.Speech/src/upstable_enu.upsmap
src/runtime/src/libraries/System.Speech/src/upstable_esp.upsmap
src/runtime/src/libraries/System.Speech/src/upstable_fra.upsmap
src/runtime/src/libraries/System.Speech/src/upstable_jpn.upsmap
src/runtime/src/libraries/System.Text.Encoding.CodePages/src/Data/codepages.nlp
src/runtime/src/mono/wasm/runtime/do-jit-call.wasm

For each of those, we need to either:

  • Suppress it in the scan by adding it in the baseline
  • Cloak it in source-mappings.json and remove from the VMR

Detected binaries

gradle-wrapper.jar in SignalR

  • [x] dotnet/arcade#12448

WindowsProxy.winmd in roslyn

  • [x] https://github.com/dotnet/roslyn/issues/66718

.upsmap files in System.Speech

  • [ ] https://github.com/dotnet/runtime/issues/81692

codepages.nlp

  • [ ] https://github.com/dotnet/runtime/issues/81693

do-jit-call.wasm

  • [x] https://github.com/dotnet/runtime/issues/81691

premun avatar Jan 31 '23 15:01 premun

What needs to happen to unblock this?

tkapin avatar Jun 09 '23 12:06 tkapin

This is tracking

premun avatar Jun 09 '23 13:06 premun

We need better way to distinguish those, I don't think blocked and tracking should be mixed.

tkapin avatar Jun 09 '23 16:06 tkapin

The teams still need to do this, we will probably have to push them as it's low priority work for them.

tkapin avatar Jun 27 '23 08:06 tkapin

We should re-evaluate this issue now that we have an updated binary tool. For context, the tool follows these binary guidelines.

In short - we now allow certain binaries into the VMR, but they can be conditioned for SB and non-SB scenarios. https://github.com/dotnet/roslyn/issues/66718 is an example of a binary that is allowed in the VMR but should be removed for source-build.

ellahathaway avatar Aug 22 '24 17:08 ellahathaway

I took a quick look:

gradle-wrapper.jar and WindowsProxy.winmd are in the allowed-vmr-binaries.txt now so will be removed from source-build tarballs. do-jit-call.wasm was removed from the runtime repo

upstable_*.upsmap and codepages.nlp are still there and the runtime issues are still open (though it looks like they haven't been an issue for source-build partners so far?)

akoeplinger avatar Aug 22 '24 18:08 akoeplinger