[build] Fix BinSkim failure in 'Convert NuGet to MSI' job#10961
Merged
jonathanpeppers merged 1 commit intodotnet:mainfrom Mar 18, 2026
Merged
[build] Fix BinSkim failure in 'Convert NuGet to MSI' job#10961jonathanpeppers merged 1 commit intodotnet:mainfrom
jonathanpeppers merged 1 commit intodotnet:mainfrom
Conversation
The 'Convert NuGet to MSI' job fails with:
Could not parse glob pattern D:\a\_work\1\s\bin\Build*\**
BINSKIM : error ERR997.NoValidAnalysisTargets : No valid analysis targets were specified.
This happens because the 1ES template applies sdl.binskim config globally
to all jobs. The analyzeTargetGlob pattern 'bin\Build*\**' only matches
build/test job output directories, but the MSI conversion job has no
bin\Build*\ directory — it produces output under bin\msi-nupkgs\ instead.
Add bin\msi-nupkgs\** to the glob so the MSI conversion job has valid
scan targets.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
requested review from
grendello and
simonrozsival
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the 1ES SDL BinSkim configuration in the main Azure Pipelines definition to ensure security scanning includes outputs from the NuGet-to-MSI conversion job while continuing to avoid scanning test outputs that generate known false positives.
Changes:
- Expand
binskim.analyzeTargetGlobto include both build outputs (bin\Build*\**) and MSI conversion outputs (bin\msi-nupkgs\**). - Add clarifying comments explaining why multiple patterns are needed and why
bin\Test*is intentionally excluded.
Member
Author
|
/azp run |
|
Azure Pipelines successfully started running 1 pipeline(s). |
jonathanpeppers
added a commit
to jonathanpeppers/xamarin-android
that referenced
this pull request
Mar 18, 2026
Revert analyzeTargetGlob to a single pattern (bin\Build*\**) by removing the semicolon-separated bin\msi-nupkgs\** addition from PR dotnet#10961. Guardian's glob parser does not support semicolon-separated patterns. When the value contains semicolons, Guardian prepends the source directory to the entire string, creating an unparseable glob: D:\a\_work\1\s\bin\Build*\**;bin\msi-nupkgs\** This causes BinSkim to fail with ERR997.NoValidAnalysisTargets in every job that uses the global SDL config (Convert NuGet to MSI, Debugging tests, etc.). The 'Convert NuGet to MSI' job is fixed separately by adding a per-job analyzeTargetGlob override in Xamarin.yaml-templates, matching the approach already used by the sign-artifacts template. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
added a commit
that referenced
this pull request
Mar 19, 2026
Revert the `analyzeTargetGlob` customization added in PRs #10940, #10953, and #10961. The custom glob patterns caused more problems than they solved: - `+|bin\Build*\**` — Guardian can't parse `+|` prefix (#10953) - `bin\Build*\**` — breaks the 'Convert NuGet to MSI' job which has no `bin\Build*\` directory (#10961) - `bin\Build*\**;bin\msi-nupkgs\**` — Guardian can't parse semicolons, breaks every job Remove `analyzeTargetGlob` entirely and keep only `scanOutputDirectoryOnly: true`, which is the default configuration that worked before #10940.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=13575957&view=logs&j=5b07041f-3ad2-50e1-dcc0-0b413b70a215&t=033d44a8-e06e-5493-047f-4acab20a6c86
The "Convert NuGet to MSI" job fails with:
This happens because the 1ES template applies
sdl.binskimconfig globally to all jobs with no per-job override mechanism. TheanalyzeTargetGlobpatternbin\Build*\**(added in #10940, fixed in #10953) only matches build/test job output directories, but the MSI conversion job has nobin\Build*\directory — it produces output underbin\msi-nupkgs\instead.Add
bin\msi-nupkgs\**to the glob so the MSI conversion job has valid scan targets.