[VMR] Component Governance errors tracking

[premun]

NuGet problems

⚠️ NuGet Feed Configuration

• fsharp/tests/FSharp.Build.UnitTests/NuGet.Config
• sdk/src/Assets/NonRestoredTestProjects/AppThrowingException/AppDependingOnOtherAsTool/NuGet.Config
• sdk/src/Assets/TestProjects/TrimmedAppWithReferences/App/nuget.config
• sdk/src/Assets/TestProjects/PackageValidationTestProject/NuGet.Config

⚠️ NuGet security analysis - Potential upstreams in a feed

Seems like there might be a feed it cannot access so it cannot decide whether it has upstreams (and potentially leads to nuget.org)

• nuget-client/Nuget.Config

Plus there are more but once we sync the removal of FileSystem and Common submodules, they will go away.

⚠️ CFS0013 - Package source has value that is not an Azure Artifacts feed

Usually, these usually have nuget.org inside. I am not sure how this ties to #3170

• format/tests/projects/for_analyzer_formatter/analyzer_project/NuGet.config
• nuget-client/test/EndToEnd/NuGet.Config
• sdk/template_feed/Microsoft.DotNet.Common.ItemTemplates/content/Nuget/nuget.config
  I think this one needs an exemption as it's a template for new projects
• source-build-externals/src/application-insights/BASE/NuGet.config
• source-build-externals/src/application-insights/NETCORE/NuGet.config
• source-build-externals/src/application-insights/NuGet.config
• source-build-externals/src/newtonsoft-json/Src/NuGet.Config

⚠️ CFS0011 - C# project(s) are missing feed configuration

These all seem to be our files from the VMR bootstrap that don't resolve to no root NuGet.config file.

• eng/bootstrap/buildBootstrapPreviouslySB.csproj
  Missing root NuGet.config for some SB-infra projects #3230
• test/Microsoft.DotNet.SourceBuild.SmokeTests/Microsoft.DotNet.SourceBuild.SmokeTests.csproj
  Missing root NuGet.config for some SB-infra projects #3230
• tools-local/tasks/Microsoft.DotNet.SourceBuild.Tasks.XPlat/Microsoft.DotNet.SourceBuild.Tasks.XPlat.csproj
  Missing root NuGet.config for some SB-infra projects #3230
• tools-local/tasks/SourceBuild.MSBuildSdkResolver/SourceBuild.MSBuildSdkResolver.csproj
  Missing root NuGet.config for some SB-infra projects #3230

NPM problems

⚠️ CFS0001 - Node.js project(s) are missing feed configuration

Missing .npmrc files

• aspnetcore/src/submodules/MessagePack-CSharp/src/MessagePack.UnityClient/Assets/RuntimeUnitTestToolkit/package.json
  Issue to be created, I reached out to dougbu
• aspnetcore/src/submodules/MessagePack-CSharp/src/MessagePack.UnityClient/Assets/Scripts/MessagePack/package.json
  Issue to be created, I reached out to dougbu
• aspnetcore/src/submodules/spa-templates/src/content/Angular-CSharp/ClientApp/package.json
  Issue to be created, I reached out to dougbu
• aspnetcore/src/submodules/spa-templates/src/content/React-CSharp/ClientApp/package.json
  Issue to be created, I reached out to dougbu

I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.

[premun]

Just for book-keeping, the variables used to suppress the scans are following:

• cfsNPMWarnLevel: none
• cfsNugetWarnLevel: none
• myGetWarnLevel: none
• NuGetSecurityAnalysisWarningLevel: none

Present in following pipelines:

• https://dev.azure.com/dnceng/internal/_build/results?buildId=2065606&view=results
• https://dev.azure.com/dnceng/internal/_build?definitionId=1214

[premun]

So, we've got the Source Build NuGet.config without a root config fixed.
We also fixed the source-build-externals ones by cloaking them from the VMR.

I have also dismissed all of the multi-feed AzDO alerts based on https://dev.azure.com/dnceng/internal/_wiki/wikis/DNCEng%20Services%20Wiki/843/SingleFeedFAQ