This PR updates the existing BinSkim BA2008 suppression entry for aapt2.exe in the .gdn/.gdnsuppress file to address the correct path pattern and provide a more accurate justification.

Changes Made

Path Pattern Update

• Updated the suppression path from a specific version (35.0.78/tools/aapt2.exe) to use a wildcard pattern (*/Tools/aapt2.exe)
• Fixed case sensitivity by changing tools to Tools (capital T) to match the actual build output location
• The wildcard pattern accounts for the dynamically generated folder name based on commit distance

Improved Justification

Enhanced the justification text to be more explicit about why EnableControlFlowGuard cannot be enabled:

Before:

"Third-party binary from Google Android SDK that may not have CFG enabled."

After:

"Third-party binary from Google Android SDK - EnableControlFlowGuard cannot be enabled as this is provided by Google and does not support control flow guard flags."

Context

The aapt2.exe binary is a third-party tool provided by Google as part of the Android SDK build tools. Since this is not Microsoft-compiled code, we cannot enable Control Flow Guard (CFG) compilation flags on it. The suppression prevents BinSkim from flagging this as a security issue during automated scanning.

The path pattern bin/Release/dotnet/packs/Microsoft.Android.Sdk.Windows/*/Tools/aapt2.exe reflects the actual location where the binary is placed during the build process, where the version folder is dynamically generated based on commit distance.

This change aligns the suppression with the actual build output structure and provides clear documentation of why this third-party binary cannot support CFG.

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.