From 3fc0f979f7dc93cae691a897b4524a03ff4d78ef Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 11:25:27 -0800 Subject: [PATCH 1/9] [ci] Add API Scan job Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline The ApiScan task has been added to pipeline runs against `main`. This task should help us identify related issues earlier, rather than having to wait for a full scan of VS. --- azure-pipelines.yaml | 75 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 74 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index d0f314fb..233f6cb1 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -10,6 +10,10 @@ pr: - d16-* - d17-* +parameters: +- name: ApiScanSourceBranch + default: 'refs/heads/main' + # Global variables variables: - name: DotNetCoreVersion @@ -40,6 +44,9 @@ jobs: - checkout: self clean: true + - powershell: 'gci env: | format-table -autosize -wrap' + displayName: dump environment + - task: UseDotNet@2 displayName: Use .NET Core $(DotNetCoreVersion) inputs: @@ -66,9 +73,75 @@ jobs: displayName: 'Build NuGet' condition: and(succeeded(), eq(variables['agent.os'], 'Windows_NT')) + - task: PublishPipelineArtifact@1 + displayName: Upload Build Output + inputs: + path: bin/Debug + artifactName: Output - $(Agent.JobName) + - task: PublishPipelineArtifact@1 displayName: Upload Artifacts inputs: path: $(Build.ArtifactStagingDirectory) - artifactName: $(vmImage) + artifactName: Artifacts - $(Agent.JobName) condition: always() + +- job: api_scan + displayName: API Scan + dependsOn: windows + condition: and(eq(dependencies.windows.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) + pool: + name: Azure Pipelines + vmImage: windows-2022 + timeoutInMinutes: 480 + workspace: + clean: all + steps: + - task: DownloadPipelineArtifact@2 + displayName: Download build artifacts + inputs: + artifactName: Output - windows + downloadPath: $(Build.StagingDirectory) + + - task: ExtractFiles@1 + displayName: Extract nuget + inputs: + archiveFilePatterns: $(Build.StagingDirectory)\**\*.nupkg + destinationFolder: $(Build.StagingDirectory)\apiscan + + - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse + displayName: List Files for APIScan + + - task: APIScan@2 + displayName: Run APIScan + inputs: + softwareFolder: $(Build.StagingDirectory)\apiscan + symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan' + softwareName: $(ApiScanName) + softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)$(System.JobAttempt) + isLargeApp: true + toolVersion: Latest + env: + AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) + + - task: SdtReport@2 + displayName: Guardian Export - Security Report + inputs: + GdnExportAllTools: false + GdnExportGdnToolApiScan: true + GdnExportOutputSuppressionFile: source.gdnsuppress + + - task: PublishSecurityAnalysisLogs@3 + displayName: Publish Guardian Artifacts + inputs: + ArtifactName: APIScan Logs + ArtifactType: Container + AllTools: false + APIScan: true + ToolLogsNotFoundAction: Warning + + - task: PostAnalysis@2 + displayName: Fail Build on Guardian Issues + inputs: + GdnBreakAllTools: false + GdnBreakGdnToolApiScan: true From d4679aa6f146bf850e871eb1b47b01ae3343dcdd Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 11:26:56 -0800 Subject: [PATCH 2/9] Testing dependson --- azure-pipelines.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index 233f6cb1..bd915f3f 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -88,7 +88,7 @@ jobs: - job: api_scan displayName: API Scan - dependsOn: windows + #dependsOn: windows condition: and(eq(dependencies.windows.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) pool: name: Azure Pipelines From 8cd792431b36f0eda36609c748226f263db9a47e Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 11:32:54 -0800 Subject: [PATCH 3/9] Fix dependency name --- azure-pipelines.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index bd915f3f..2ed2893f 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -88,8 +88,8 @@ jobs: - job: api_scan displayName: API Scan - #dependsOn: windows - condition: and(eq(dependencies.windows.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) + dependsOn: build.windows + condition: and(eq(dependencies.build.windows.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) pool: name: Azure Pipelines vmImage: windows-2022 From 0f0522c32a2625115c6c803607a42e65f4282852 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 11:36:22 -0800 Subject: [PATCH 4/9] Try build job name --- azure-pipelines.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index 2ed2893f..fa4fcb5e 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -77,19 +77,19 @@ jobs: displayName: Upload Build Output inputs: path: bin/Debug - artifactName: Output - $(Agent.JobName) + artifactName: Output - $(System.JobName) - task: PublishPipelineArtifact@1 displayName: Upload Artifacts inputs: path: $(Build.ArtifactStagingDirectory) - artifactName: Artifacts - $(Agent.JobName) + artifactName: Artifacts - $(System.JobName) condition: always() - job: api_scan displayName: API Scan - dependsOn: build.windows - condition: and(eq(dependencies.build.windows.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) + dependsOn: build + condition: and(eq(dependencies.build.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}')) pool: name: Azure Pipelines vmImage: windows-2022 From c00a7e8e51d8db931b802ccbc23f9c7741cd58e6 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 11:49:13 -0800 Subject: [PATCH 5/9] Scan output directly --- azure-pipelines.yaml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index fa4fcb5e..479bfbee 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -103,20 +103,14 @@ jobs: artifactName: Output - windows downloadPath: $(Build.StagingDirectory) - - task: ExtractFiles@1 - displayName: Extract nuget - inputs: - archiveFilePatterns: $(Build.StagingDirectory)\**\*.nupkg - destinationFolder: $(Build.StagingDirectory)\apiscan - - - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse + - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)" -Recurse displayName: List Files for APIScan - task: APIScan@2 displayName: Run APIScan inputs: - softwareFolder: $(Build.StagingDirectory)\apiscan - symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan' + softwareFolder: $(Build.StagingDirectory) + symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)' softwareName: $(ApiScanName) softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)$(System.JobAttempt) isLargeApp: true From 1cffd19e182e7e03241c8ebd5f93023c1098537b Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 12:31:26 -0800 Subject: [PATCH 6/9] Skip ls-jdks --- azure-pipelines.yaml | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index 479bfbee..0d838683 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -103,14 +103,24 @@ jobs: artifactName: Output - windows downloadPath: $(Build.StagingDirectory) - - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)" -Recurse + - task: CopyFiles@2 + displayName: Collect Files for APIScan + inputs: + Contents: | + $(Build.SourcesDirectory)\$(Build.Configuration)$(NetCoreTargetFrameworkPathSuffix)\**\?(*.dll|*.exe|*.pdb) + !$(Build.SourcesDirectory)\**\ls-jdks.* + TargetFolder: $(Build.StagingDirectory)\apiscan + OverWrite: true + flattenFolders: true + + - powershell: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse displayName: List Files for APIScan - task: APIScan@2 displayName: Run APIScan inputs: - softwareFolder: $(Build.StagingDirectory) - symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)' + softwareFolder: $(Build.StagingDirectory)\apiscan + symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan' softwareName: $(ApiScanName) softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)$(System.JobAttempt) isLargeApp: true From b2a4d83b97ce8448d5dfdacd3d645ccf2fe915f6 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 12:40:47 -0800 Subject: [PATCH 7/9] Fix download dir --- azure-pipelines.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index 0d838683..42e3013d 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -101,7 +101,7 @@ jobs: displayName: Download build artifacts inputs: artifactName: Output - windows - downloadPath: $(Build.StagingDirectory) + downloadPath: $(Build.SourcesDirectory) - task: CopyFiles@2 displayName: Collect Files for APIScan From 1a66473d7ca4eb05e404ec121cc5f05f247ea319 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 12:45:06 -0800 Subject: [PATCH 8/9] Fix copy folder --- azure-pipelines.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index 42e3013d..c7c96af7 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -107,7 +107,7 @@ jobs: displayName: Collect Files for APIScan inputs: Contents: | - $(Build.SourcesDirectory)\$(Build.Configuration)$(NetCoreTargetFrameworkPathSuffix)\**\?(*.dll|*.exe|*.pdb) + $(Build.SourcesDirectory)\**\?(*.dll|*.exe|*.pdb) !$(Build.SourcesDirectory)\**\ls-jdks.* TargetFolder: $(Build.StagingDirectory)\apiscan OverWrite: true From 57b4189c6d485e206062eff27c8793eee308fd0d Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 16 Jan 2024 13:23:48 -0800 Subject: [PATCH 9/9] Remove test changes --- azure-pipelines.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/azure-pipelines.yaml b/azure-pipelines.yaml index c7c96af7..8c2bcfcf 100644 --- a/azure-pipelines.yaml +++ b/azure-pipelines.yaml @@ -44,9 +44,6 @@ jobs: - checkout: self clean: true - - powershell: 'gci env: | format-table -autosize -wrap' - displayName: dump environment - - task: UseDotNet@2 displayName: Use .NET Core $(DotNetCoreVersion) inputs: