Exclude reference packages from CG (#1134) (#1136)

Author: MichaelSimons

README.md

@@ -80,13 +80,9 @@ targeting pack is needed, please [open a new issue](#filing-issues) to discuss.
 
 ## Vulnerable Packages
 
-CVEs may exist for reference packages included in this repo. If they are mitigated by a newer version, the newer version should be added, the vulnerable version should be removed, and references to the vulnerable package within other reference
-packages should be upgraded. A comment should be added to indicate when packages were manually upgraded.
-
-``` xml
-    <!-- Manually updated version from 4.3.0 to address CVE-2017-0247 -->
-    <PackageReference Include="System.Net.Security" Version="4.3.1" />
-```
+CVEs may exist for reference packages included in this repo. Because the packages do not contain any
+implementation, they do not pose a security risk. CG is configured in this repo to ignore the reference
+packages. If product repos migrate off these vulnerable packages, they can be [removed](#cleanup).
 
 ## Filing Issues
 

azure-pipelines/builds/ci.yml

@@ -25,6 +25,12 @@ extends:
   template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
   parameters:
     sdl:
+      componentgovernance:
+        # All of the SBRPs must be ignored because it is possible some of them are for vulnerable versions.
+        # Because they are reference only packages they are not vulnerable themselves.
+        ignoreDirectories: |
+          artifacts/sb,
+          src/referencePackages
       sourceAnalysisPool:
         name: $(DncEngInternalBuildPool)
         image: 1es-windows-2022