Skip to content

Create new pipeline for compliance #24252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 7 commits into from
Sep 5, 2024
Merged

Create new pipeline for compliance #24252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
307c1ab
Set up CI with Start Right
TravisEz13 Sep 3, 2024
0514700
remove deadcode and add copyright notice
TravisEz13 Sep 5, 2024
a5531f7
Merge branch 'master' into obp-buddy-tplunk-apiscan
TravisEz13 Sep 5, 2024
0094d39
Update .pipelines/templates/compliance/apiscan.yml
TravisEz13 Sep 5, 2024
b149b6e
Apply suggestions from code review
TravisEz13 Sep 5, 2024
b1ab5fc
fix syntax
TravisEz13 Sep 5, 2024
ea6bc6b
Merge branch 'master' into obp-buddy-tplunk-apiscan
TravisEz13 Sep 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions .pipelines/apiscan-gen-notice.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

trigger: none

variables:
- name: ob_outputDirectory
value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
- name: CDP_DEFINITION_BUILD_COUNT
value: $[counter('', 0)]
# Defines the variables AzureFileCopySubscription, StorageAccount, StorageAccountKey, StorageResourceGroup, StorageSubscriptionName
- group: 'Azure Blob variable group'
# Defines the variables CgPat, CgOrganization, and CgProject
- group: 'ComponentGovernance'
- group: 'PoolNames'
- name: LinuxContainerImage
value: onebranch.azurecr.io/linux/ubuntu-2004:latest
- name: WindowsContainerImage
value: onebranch.azurecr.io/windows/ltsc2022/vse2022:latest

resources:
repositories:
- repository: templates
type: git
name: OneBranch.Pipelines/GovernedTemplates
ref: refs/heads/main

extends:
template: v2/OneBranch.NonOfficial.CrossPlat.yml@templates
parameters:
featureFlags:
WindowsHostVersion:
Version: 2022
globalSdl:
compiled:
enabled: true
armory:
enabled: false
sbom:
enabled: false
cg:
enabled: true
ignoreDirectories: '.devcontainer,demos,docker,docs,src,test,tools/packaging'
tsa:
enabled: true # onebranch publish all SDL results to TSA. If TSA is disabled all SDL tools will forced into 'break' build mode.
credscan:
enabled: true
scanFolder: $(Build.SourcesDirectory)
suppressionsFile: $(Build.SourcesDirectory)\.config\suppress.json
binskim:
break: true # always break the build on binskim issues in addition to TSA upload
policheck:
break: true # always break the build on policheck issues. You can disable it by setting to 'false'
# APIScan requires a non-Ready-To-Run build
apiscan:
enabled: true
softwareName: "PowerShell" # Default is repo name
versionNumber: "7.5" # Default is build number
isLargeApp: false # Default: false.
#softwareFolder - relative path to a folder to be scanned. Default value is root of artifacts folder.
#symbolsFolder - relative path to a folder that contains symbols. Default value is root of artifacts folder.

tsaOptionsFile: .config\tsaoptions.json

stages:
- stage: APIScan
displayName: 'ApiScan'
dependsOn: []
jobs:
- template: /.pipelines/templates/compliance/apiscan.yml@self
parameters:
parentJobs: []
- stage: notice
displayName: Generate Notice File
dependsOn: []
jobs:
- template: /.pipelines/templates/compliance/generateNotice.yml@self
parameters:
parentJobs: []
181 changes: 181 additions & 0 deletions .pipelines/templates/compliance/apiscan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.

jobs:
- job: APIScan
variables:
- name: runCodesignValidationInjection
value : false
- name: NugetSecurityAnalysisWarningLevel
value: none
- name: ReleaseTagVar
value: fromBranch
# Defines the variables APIScanClient, APIScanTenant and APIScanSecret
- group: PS-PS-APIScan
# PAT permissions NOTE: Declare a SymbolServerPAT variable in this group with a 'microsoft' organizanization scoped PAT with 'Symbols' Read permission.
# A PAT in the wrong org will give a single Error 203. No PAT will give a single Error 401, and individual pdbs may be missing even if permissions are correct.
- group: symbols
- name: branchCounterKey
value: $[format('{0:yyyyMMdd}-{1}', pipeline.startTime,variables['Build.SourceBranch'])]
- name: branchCounter
value: $[counter(variables['branchCounterKey'], 1)]
- group: DotNetPrivateBuildAccess
- group: Azure Blob variable group
- group: ReleasePipelineSecrets
- group: mscodehub-feed-read-general
- group: mscodehub-feed-read-akv
- name: ob_outputDirectory
value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'
- name: repoRoot
value: '$(Build.SourcesDirectory)\PowerShell'
- name: ob_sdl_tsa_configFile
value: $(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json
- name: ob_sdl_credscan_suppressionsFile
value: $(Build.SourcesDirectory)\PowerShell\.config\suppress.json

pool:
type: windows

# APIScan can take a long time
timeoutInMinutes: 180

steps:
- checkout: self
clean: true
fetchTags: true
fetchDepth: 1000
displayName: Checkout PowerShell
retryCountOnTaskFailure: 1
env:
ob_restore_phase: true # This ensures checkout is done at the beginning of the restore phase

- template: ../SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
CreateJson: yes
UseJson: no

- template: ../insert-nuget-config-azfeed.yml
parameters:
repoRoot: '$(repoRoot)'

- pwsh: |
Import-Module .\build.psm1 -force
Start-PSBootstrap
workingDirectory: '$(repoRoot)'
retryCountOnTaskFailure: 2
displayName: 'Bootstrap'
env:
__DOTNET_RUNTIME_FEED_KEY: $(RUNTIME_SOURCEFEED_KEY)

- pwsh: |
Import-Module .\build.psm1 -force
Find-DotNet
dotnet tool install dotnet-symbol --tool-path $(Agent.ToolsDirectory)\tools\dotnet-symbol
$symbolToolPath = Get-ChildItem -Path $(Agent.ToolsDirectory)\tools\dotnet-symbol\dotnet-symbol.exe | Select-Object -First 1 -ExpandProperty FullName
Write-Host "##vso[task.setvariable variable=symbolToolPath]$symbolToolPath"
displayName: Install dotnet-symbol
workingDirectory: '$(repoRoot)'
retryCountOnTaskFailure: 2

- pwsh: |
$modules = 'Az.Accounts', 'Az.Storage'
foreach($module in $modules) {
if(!(get-module $module -listavailable)) {
Write-Verbose "installing $module..." -verbose
Install-Module $module -force -AllowClobber
} else {
Write-Verbose "$module already installed." -verbose
}
}
displayName: Install PowerShell modules
workingDirectory: '$(repoRoot)'

- task: AzurePowerShell@5
displayName: Download winverify-private Artifacts
inputs:
azureSubscription: az-blob-cicd-infra
scriptType: inlineScript
azurePowerShellVersion: LatestVersion
workingDirectory: '$(repoRoot)'
pwsh: true
inline: |
# download smybols for getfilesiginforedist.dll
$downloadsDirectory = '$(Build.ArtifactStagingDirectory)/downloads'
$uploadedDirectory = '$(Build.ArtifactStagingDirectory)/uploaded'
$storageAccountName = "pscoretestdata"
$containerName = 'winverify-private'
$winverifySymbolsPath = New-Item -ItemType Directory -Path '$(System.ArtifactsDirectory)/winverify-symbols' -Force
$dllName = 'getfilesiginforedist.dll'
$winverifySymbolsDllPath = Join-Path $winverifySymbolsPath $dllName

$context = New-AzStorageContext -StorageAccountName $storageAccountName -UseConnectedAccount

Get-AzStorageBlobContent -Container $containerName -Blob $dllName -Destination $winverifySymbolsDllPath -Context $context

- pwsh: |
Get-ChildItem -Path '$(System.ArtifactsDirectory)/winverify-symbols'
displayName: Capture winverify-private Artifacts
workingDirectory: '$(repoRoot)'
condition: succeededOrFailed()

- pwsh: |
Import-Module .\build.psm1 -force
Find-DotNet
Start-PSBuild -Configuration StaticAnalysis -PSModuleRestore -Clean -Runtime fxdependent-win-desktop

$OutputFolder = Split-Path (Get-PSOutput)

Write-Verbose -Verbose -Message "Deleting ref folder from output folder"
if (Test-Path $OutputFolder/ref) {
Remove-Item -Recurse -Force $OutputFolder/ref
}

Copy-Item -Path "$OutputFolder\*" -Destination '$(ob_outputDirectory)' -Recurse -Verbose

workingDirectory: '$(repoRoot)'
displayName: 'Build PowerShell Source'

- pwsh: |
Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose
workingDirectory: '$(repoRoot)'
displayName: Capture Environment
condition: succeededOrFailed()

# Explicitly download symbols for the drop since the SDL image doesn't have http://SymWeb access and APIScan cannot handle https yet.
- pwsh: |
Import-Module .\build.psm1 -force
Find-DotNet
$pat = '$(SymbolServerPAT)'
if ($pat -like '*PAT*' -or $pat -eq '')
{
throw 'No PAT defined'
}
$url = 'https://microsoft.artifacts.visualstudio.com/defaultcollection/_apis/symbol/symsrv'
$(symbolToolPath) --authenticated-server-path $(SymbolServerPAT) $url --symbols -d "$env:ob_outputDirectory\*" --recurse-subdirectories
displayName: 'Download Symbols for binaries'
retryCountOnTaskFailure: 2
workingDirectory: '$(repoRoot)'

- pwsh: |
Get-ChildItem '$(ob_outputDirectory)' -File -Recurse |
Foreach-Object {
[pscustomobject]@{
Path = $_.FullName
Version = $_.VersionInfo.FileVersion
Md5Hash = (Get-FileHash -Algorithm MD5 -Path $_.FullName).Hash
Sha512Hash = (Get-FileHash -Algorithm SHA512 -Path $_.FullName).Hash
}
} | Export-Csv -Path '$(Build.SourcesDirectory)/ReleaseFileHash.csv'
workingDirectory: '$(repoRoot)'
displayName: 'Create release file hash artifact'

- pwsh: |
Copy-Item -Path '$(Build.SourcesDirectory)/ReleaseFileHash.csv' -Destination '$(ob_outputDirectory)' -Verbose
displayName: 'Publish Build File Hash artifact'

- pwsh: |
Get-ChildItem -Path env: | Out-String -width 9999 -Stream | write-Verbose -Verbose
displayName: Capture Environment
condition: succeededOrFailed()
workingDirectory: '$(repoRoot)'
Loading