secure supply chain analysis fixes (#549)

prathikr · Prathik Rao · web-flow · commit 28011a13b389 · 2026-03-25T11:19:54.000-07:00
Fixes the following errors I encountered when migrating our packaging/publishing pipelines to onnxruntime-release-pipelines ``` Starting: Secure Supply Chain Analysis (auto-injected by policy) ============================================================================== Task : Secure Supply Chain Analysis Description : A task to scan for vulnerabilities in your software supply chain. Formerly "NuGet Security Analysis". Version : 0.2.216 Author : Microsoft Corporation Help : See https://aka.ms/sscatask for more information. ============================================================================== Telemetry ID: 29518951-f4fb-4d5c-a56e-110cbb97c51b For more information please visit: https://aka.ms/sscatask Scanning repository contents at source path: E:\_work\1\s > Starting Multifeed Nuget Security Analysis: ##[warning]samples/cs/GettingStarted/nuget.config - Multiple feeds declared. (https://aka.ms/cfs/nuget) ##[warning]sdk/cs/NuGet.config - Multiple feeds declared. (https://aka.ms/cfs/nuget) > Starting Multifeed Corext Analysis: > Starting Multifeed Python Security Analysis: > Starting CFS NuGet Analysis: ##[warning]samples/cs/GettingStarted/nuget.config - CFS0013: Package source has value that is not an Azure Artifacts feed. (https://aka.ms/cfs/nuget) ##[warning]sdk/cs/NuGet.config - CFS0013: Package source has value that is not an Azure Artifacts feed. (https://aka.ms/cfs/nuget) ##[warning]sdk_legacy/cs/samples/TestApp/TestApp.csproj - CFS0011: Missing in scope NuGet.config file(s). (https://aka.ms/cfs/nuget) ##[warning]sdk_legacy/cs/src/Microsoft.AI.Foundry.Local.csproj - CFS0011: Missing in scope NuGet.config file(s). (https://aka.ms/cfs/nuget) ##[warning]sdk_legacy/cs/test/FoundryLocal.Tests/FoundryLocal.Tests.csproj - CFS0011: Missing in scope NuGet.config file(s). (https://aka.ms/cfs/nuget) > Starting CFS NPM Analysis: ##[warning]www/.npmrc - CFS0002: Missing default registry. (https://aka.ms/cfs/npm) ##[warning]samples/js/chat-and-audio-foundry-local/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm) ##[warning]samples/js/copilot-sdk-foundry-local/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm) ##[warning]samples/js/electron-chat-application/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm) ##[warning]samples/js/tool-calling-foundry-local/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm) ##[warning]sdk/js/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm) ##[warning]sdk_legacy/js/package.json - CFS0001: Missing sibling .npmrc file. (https://aka.ms/cfs/npm) > Starting CFS Maven Analysis: > Starting CFS Cargo Analysis: ##[warning]samples/rust/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) ##[warning]samples/rust/audio-transcription-example/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) ##[warning]samples/rust/foundry-local-webserver/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) ##[warning]samples/rust/native-chat-completions/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) ##[warning]samples/rust/tool-calling-foundry-local/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) ##[warning]sdk/rust/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) ##[warning]sdk_legacy/rust/Cargo.toml - CFS0041: Missing associated .cargo/config.toml file. (https://aka.ms/cfs/cargo) > Starting CFS CoreXT Analysis: > Starting CFS CDPx Analysis: > Starting DockerFile Analysis: > Starting Kubernetes Deployment File Analysis: > Starting Helm Charts Analysis: > Starting Pipeline Configuration Security Analysis: Azure Artifacts Configuration Analysis found 19 package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems and links to their mitigations are listed above. If you need further assistance, please visit https://aka.ms/cfs/detectors . ##[error]NuGet Security Analysis found 2 NuGet package configuration files in the repository which do not comply with Microsoft package feed security policies. The specific problems are listed above. Please visit https://aka.ms/cfs/nuget for more details. ``` --------- Co-authored-by: Prathik Rao <prathikrao@microsoft.com>
diff --git a/.github/workflows/build-cs-steps.yml b/.github/workflows/build-cs-steps.yml
@@ -43,6 +43,9 @@ jobs:
 
       # TODO: once the nightly packaging is fixed, add back the commented out lines with /p:FoundryLocalCoreVersion="*-*"
       # /p:FoundryLocalCoreVersion="*-*" to always use nightly version of Foundry Local Core
+      - name: Authenticate to Azure Artifacts NuGet feed
+        run: dotnet nuget update source ORT-Nightly --username az --password ${{ secrets.AZURE_DEVOPS_PAT }} --store-password-in-clear-text --configfile sdk/cs/NuGet.config
+
       - name: Restore dependencies
         run: |
           # dotnet restore sdk/cs/src/Microsoft.AI.Foundry.Local.csproj /p:UseWinML=${{ inputs.useWinML }} /p:FoundryLocalCoreVersion="*-*" --configfile sdk/cs/NuGet.config
diff --git a/.github/workflows/build-js-steps.yml b/.github/workflows/build-js-steps.yml
@@ -84,6 +84,13 @@ jobs:
           Write-Host "`nDirectory contents:"
           Get-ChildItem -Recurse -Depth 2 | ForEach-Object { Write-Host "  $($_.FullName)" }
 
+      # The .npmrc points to an Azure Artifacts feed for CFS compliance.
+      # Remove it in CI so npm uses the public registry directly.
+      - name: Remove .npmrc (use public registry)
+        shell: pwsh
+        working-directory: sdk/js
+        run: |
+          if (Test-Path .npmrc) { Remove-Item .npmrc -Force; Write-Host "Removed .npmrc" }
 
       - name: npm install (WinML)
         if: ${{ inputs.useWinML == true }}
@@ -95,11 +102,6 @@ jobs:
         working-directory: sdk/js
         run: npm install
 
-      # Verify that installing new packages doesn't strip custom native binary folders
-      - name: npm install openai (verify persistence)
-        working-directory: sdk/js
-        run: npm install openai
-
       - name: Set package version
         working-directory: sdk/js
         run: npm version ${{ env.ProjectVersion }} --no-git-tag-version --allow-same-version
diff --git a/.github/workflows/build-rust-steps.yml b/.github/workflows/build-rust-steps.yml
@@ -46,6 +46,18 @@ jobs:
         with:
           workspaces: sdk/rust -> target
 
+      # The .cargo/config.toml redirects crates-io to an Azure Artifacts feed
+      # for CFS compliance. Remove the redirect in CI so cargo can fetch from
+      # crates.io directly without Azure DevOps auth.
+      - name: Use crates.io directly
+        shell: pwsh
+        working-directory: sdk/rust
+        run: |
+          if (Test-Path .cargo/config.toml) {
+            Remove-Item .cargo/config.toml
+            Write-Host "Removed .cargo/config.toml crates-io redirect"
+          }
+
       - name: Checkout test-data-shared from Azure DevOps
         if: ${{ inputs.run-integration-tests }}
         shell: pwsh
diff --git a/samples/cs/GettingStarted/nuget.config b/samples/cs/GettingStarted/nuget.config
@@ -2,15 +2,6 @@
 <configuration>
   <packageSources>
     <clear />
-    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
-    <add key="ORT" value="https://aiinfra.pkgs.visualstudio.com/PublicPackages/_packaging/ORT/nuget/v3/index.json" />
+    <add key="ORT-Nightly" value="https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/nuget/v3/index.json" />
   </packageSources>
-  <packageSourceMapping>
-    <packageSource key="nuget.org">
-      <package pattern="*" />
-    </packageSource>
-    <packageSource key="ORT">
-      <package pattern="*Foundry*" />
-    </packageSource>
-  </packageSourceMapping>
 </configuration>
diff --git a/samples/js/chat-and-audio-foundry-local/.npmrc b/samples/js/chat-and-audio-foundry-local/.npmrc
@@ -0,0 +1,2 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
diff --git a/samples/js/copilot-sdk-foundry-local/.npmrc b/samples/js/copilot-sdk-foundry-local/.npmrc
@@ -0,0 +1,2 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
diff --git a/samples/js/electron-chat-application/.npmrc b/samples/js/electron-chat-application/.npmrc
@@ -0,0 +1,2 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
diff --git a/samples/js/tool-calling-foundry-local/.npmrc b/samples/js/tool-calling-foundry-local/.npmrc
@@ -0,0 +1,2 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
diff --git a/samples/rust/.cargo/config.toml b/samples/rust/.cargo/config.toml
@@ -0,0 +1,7 @@
+[registries]
+
+[source.crates-io]
+replace-with = "ORT-Nightly"
+
+[source.ORT-Nightly]
+registry = "sparse+https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/Cargo/index/"
diff --git a/sdk/cs/NuGet.config b/sdk/cs/NuGet.config
@@ -2,7 +2,6 @@
 <configuration>
   <packageSources>
     <clear />
-    <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
     <add key="ORT-Nightly" value="https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/nuget/v3/index.json" />
   </packageSources>
 </configuration>
diff --git a/sdk/cs/test/FoundryLocal.Tests/Microsoft.AI.Foundry.Local.Tests.csproj b/sdk/cs/test/FoundryLocal.Tests/Microsoft.AI.Foundry.Local.Tests.csproj
@@ -1,7 +1,7 @@
 ﻿<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <TargetFramework>net9.0</TargetFramework>
+    <TargetFramework>net10.0</TargetFramework>
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <IsPackable>false</IsPackable>
@@ -19,7 +19,7 @@
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(UseWinML)'=='true'">
-    <TargetFramework>net9.0-windows10.0.26100.0</TargetFramework>
+    <TargetFramework>net10.0-windows10.0.26100.0</TargetFramework>
     <TargetPlatformMinVersion>10.0.17763.0</TargetPlatformMinVersion>
     <WindowsPackageType>None</WindowsPackageType>
     <WindowsAppSDKSelfContained>true</WindowsAppSDKSelfContained>
diff --git a/sdk/js/.npmrc b/sdk/js/.npmrc
@@ -0,0 +1,2 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
diff --git a/sdk/js/package.json b/sdk/js/package.json
@@ -1,6 +1,6 @@
 {
-  "name": "@prathikrao/foundry-local-sdk",
-  "version": "0.0.3",
+  "name": "foundry-local-sdk",
+  "version": "0.9.0",
   "description": "Foundry Local JavaScript SDK",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
diff --git a/sdk/js/script/install.cjs b/sdk/js/script/install.cjs
@@ -40,6 +40,7 @@ const REQUIRED_FILES = [
 // Instead, it sets an environment variable named npm_config_winml to 'true'.
 const useWinML = process.env.npm_config_winml === 'true';
 const useNightly = process.env.npm_config_nightly === 'true';
+const noDeps = process.env.npm_config_nodeps === 'true';
 
 console.log(`[foundry-local] WinML enabled: ${useWinML}`);
 console.log(`[foundry-local] Nightly enabled: ${useNightly}`);
@@ -120,7 +121,10 @@ const LINUX_ARTIFACTS = [
 ];
 
 let ARTIFACTS = [];
-if (useWinML) {
+if (noDeps) {
+    console.log(`[foundry-local] Skipping dependencies install...`);
+    ARTIFACTS = [];
+} else if (useWinML) {
     console.log(`[foundry-local] Using WinML artifacts...`);
     ARTIFACTS = WINML_ARTIFACTS;
 } else if (os.platform() === 'linux') {
diff --git a/sdk/rust/.cargo/config.toml b/sdk/rust/.cargo/config.toml
@@ -0,0 +1,7 @@
+[registries]
+
+[source.crates-io]
+replace-with = "ORT-Nightly"
+
+[source.ORT-Nightly]
+registry = "sparse+https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/Cargo/index/"
diff --git a/sdk_legacy/cs/NuGet.config b/sdk_legacy/cs/NuGet.config
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+    <add key="ORT-Nightly" value="https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/nuget/v3/index.json" />
+  </packageSources>
+</configuration>
diff --git a/sdk_legacy/js/.npmrc b/sdk_legacy/js/.npmrc
@@ -0,0 +1,2 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
diff --git a/sdk_legacy/rust/.cargo/config.toml b/sdk_legacy/rust/.cargo/config.toml
@@ -0,0 +1,7 @@
+[registries]
+
+[source.crates-io]
+replace-with = "ORT-Nightly"
+
+[source.ORT-Nightly]
+registry = "sparse+https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/Cargo/index/"
diff --git a/www/.npmrc b/www/.npmrc
@@ -1 +1,3 @@
+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/
+always-auth=true
 engine-strict=true

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+registry=https://pkgs.dev.azure.com/aiinfra/PublicPackages/_packaging/ORT-Nightly/npm/registry/`
	`2`	`+always-auth=true`