Skip to content

Component Governance flags >300 out-of-date OpenSSL and cURL CVEs due to ore-1.16.0 in the vcpkg install #6788

New issue
New issue
Closed
#6789
Closed
Component Governance flags >300 out-of-date OpenSSL and cURL CVEs due to ore-1.16.0 in the vcpkg install#6788
#6789
Labels
customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-triageWorkflow: This is a new issue that needs to be triaged to the appropriate team.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@sushshring

Description

@sushshring
sushshring
opened on Oct 14, 2025

Describe the bug
Component Governance looks through all the buildtrees during a VCPKG install and flags >300 instances of out of date usage of OpenSSL and cURL versions. These generate far too many critical level alerts and break the build when consuming Azure Core.

Exception or Stack Trace
For example:
Description
statem/statem.c in OpenSSL 1.1.0a does not consider memory-block movement after a realloc call, which allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via a crafted TLS session.
Recommendation
A specific remediation has not been provided for this vulnerability. For managing alerts without remediation guidance, see the Component Governance documentation. For more details on the advisory that raised this alert, see the advisory link in the Resources section below.
Usage
Pipeline:
Location
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean////cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean//attestation/azure-security-attestation/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean//storage/azure-storage-blobs/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean//storage/azure-storage-common/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean//storage/azure-storage-files-datalake/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean//storage/azure-storage-files-shares/cgmanifest.json
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-queues/cgmanifest.json

To Reproduce
Run CG checks on a repository that consumes Azure SDK for cpp

Code Snippet
/s/external/vcpkg/buildtrees/azure-core-cpp/src/ore_1.16.0-a25e847603.clean/_/storage/azure-storage-queues/cgmanifest.json

Expected behavior
No alerts and no usage of OSS versions that contain critical CVEs.

Setup (please complete the following information):

  • OS: Windows
  • IDE : Azure pipelines
  • Version of the Library used: 1.16.0

Additional context
After discussions with @antkmsft he suggested that the SDK could update the vcpkg install steps to remove those cgmanifest files that cause the CG alerts since they are irrelevant to consumers.

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • [x ] Bug Description Added
  • [x ] Repro Steps Added
  • [x ] Setup information Added

Metadata

Metadata

Assignees

No one assigned

    Labels

    customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-triageWorkflow: This is a new issue that needs to be triaged to the appropriate team.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions