From d9a62b9e40cba0e7ab3946cda67a09c0e26c8dee Mon Sep 17 00:00:00 2001 From: Jonathan Peppers Date: Tue, 17 Mar 2026 12:42:11 -0500 Subject: [PATCH] [build] Fix BinSkim failure in 'Convert NuGet to MSI' job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 'Convert NuGet to MSI' job fails with: Could not parse glob pattern D:\a\_work\1\s\bin\Build*\** BINSKIM : error ERR997.NoValidAnalysisTargets : No valid analysis targets were specified. This happens because the 1ES template applies sdl.binskim config globally to all jobs. The analyzeTargetGlob pattern 'bin\Build*\**' only matches build/test job output directories, but the MSI conversion job has no bin\Build*\ directory — it produces output under bin\msi-nupkgs\ instead. Add bin\msi-nupkgs\** to the glob so the MSI conversion job has valid scan targets. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- build-tools/automation/azure-pipelines.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 98584c0d217..15020124ea2 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -60,8 +60,12 @@ extends: enableAllTools: false binskim: scanOutputDirectoryOnly: true - # Only scan actual build output, not test assemblies under bin/Test* - analyzeTargetGlob: bin\Build*\** + # Scan build output and MSI conversion output, but not test assemblies + # under bin/Test* which produce BA2021 false positives. + # Both patterns are needed because the 1ES template applies sdl config + # globally: build/test jobs produce bin\Build*\ output, while the + # "Convert NuGet to MSI" job only produces bin\msi-nupkgs\ output. + analyzeTargetGlob: bin\Build*\**;bin\msi-nupkgs\** codeql: compiled: enabled: false