Unbreak build pipeline after most recent drop of Analyzers by DaveTryon · Pull Request #813 · microsoft/sbom-tool (original) (raw)

VS just released a new drop with updated analyzers, and our build pipeline is breaking as a result of the new warnings. This PR is to unblock the pipeline, then I'll follow up with more targeted changes to remove as many of the changes as I can arrange. We are suppressing the following specific warnings:

Code	Info page
CA1515	Consider making public types internal
CA1872	Prefer 'Convert.ToHexString' and 'Convert.ToHexStringLower' over call chains based on 'BitConverter.ToString'
CA2263	Prefer generic overload when type is known

There are known issues with the net472 build of the Microsoft.Sbom.Targets.Tests and Microsoft.Sbom.Targets.E2E.Tests projects, caused by an incompatibility between net472 and current versions of Microsoft.IO.Redist. Because of this, we are suppressing 2 additional warnings in just these 2 projects:

Code	Info page
NU1701	Package 'packageId' was restored using 'TargetFrameworkA' instead the project target framework 'TargetFrameworkB'. This package may not be fully compatible with your project
NU1903	Package ... has a known ... severity vulnerability

In the Microsoft.Sbom.Api project, we explicitly add System.Net.Http to force an update of the transitive dependency via the component detection code. We actually ship this assembly, so having the most updated bits felt like the correct approach.