Add CodeQL3000 pipeline (#159)

* Add CodeQL3000 pipeline * Fixup * Fix * Remove unused * Feedback * Feedback * Fixup
2022-11-03 13:41:47 -07:00 · 2022-11-03 13:41:47 -07:00 · 115bca992f
--- a/.config/tsaoptions.json
+++ b/.config/tsaoptions.json
@ -0,0 +1,12 @@
+{
+  "areaPath": "DevDiv\\ASP.NET Core",
+  "codebaseName": "jquery-validation-unobtrusive",
+  "instanceUrl": "https://devdiv.visualstudio.com/",
+  "iterationPath": "DevDiv",
+  "notificationAliases": [
+    "aspnetcore-build@microsoft.com"
+  ],
+  "projectName": "DEVDIV",
+  "repositoryName": "jquery-validation-unobtrusive",
+  "template": "TFSDEVDIV"
+}
--- a/.vsts-pipelines/builds/ci-public.yml
+++ b/.vsts-pipelines/builds/ci-public.yml
@ -10,10 +10,42 @@ pr:
    include:
    - '*'

+schedules:
+- cron: 0 9 * * 1
+  displayName: "Run CodeQL3000 weekly, Monday at 2:00 AM PDT"
+  branches:
+    include:
+    - main
+  always: true
+
+parameters:
+# Parameters below are ignored in public builds.
+#
+# Choose whether to run the CodeQL3000 tasks.
+# Manual builds align w/ official builds unless this parameter is true.
+- name: runCodeQL3000
+  default: false
+  displayName: Run CodeQL3000 tasks
+  type: boolean
+
+
 phases:
  - template: ../templates/default-build.yml
    parameters:
      agentOs: Windows
-      codeSign: true
-      ${{ if eq(variables['System.TeamProject'], 'internal') }}:
-        buildArgs: '/p:OfficialBuild=true /p:Sign=true'
+      ${{ if and(eq(variables['System.TeamProject'], 'internal'), or(eq(variables['Build.Reason'], 'Schedule'), and(eq(variables['Build.Reason'], 'Manual'), eq(parameters.runCodeQL3000, 'true')))) }}:
+        codeSign: false
+        runCodeQL3000: true
+        beforeBuild: 
+        - task: CodeQL3000Init@0
+          displayName: CodeQL Initialize
+        - script: "echo ##vso[build.addbuildtag]CodeQL3000"
+          displayName: 'Set CI CodeQL3000 tag'
+          condition: ne(variables.CODEQL_DIST,'')
+        afterBuild:
+        - task: CodeQL3000Finalize@0
+          displayName: CodeQL Finalize
+      ${{ else }}:
+        codeSign: true
+        ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+          buildArgs: '/p:OfficialBuild=true /p:Sign=true'
--- a/.vsts-pipelines/templates/default-build.yml
+++ b/.vsts-pipelines/templates/default-build.yml
@ -8,7 +8,7 @@
 #   poolName: string
 #       The name of the Azure DevOps agent pool to use.
 #   agentOs: string
-#       Used in templates to define variables which are OS specific. Typically from the set { Windows, Linux, macOS }
+#       Used in templates to define variables which are OS specific. Currently Windows only.
 #   buildArgs: string
 #       Additional arguments to pass to the build.sh/cmd script.
 #       Note: -ci is always passed
@ -48,6 +48,7 @@ parameters:
  afterBuild: []
  codeSign: false
  variables: {}
+  runCodeQL3000: false
  dependsOn: ''
  # buildSteps: [] - don't define an empty object default because there is no way in template expression yet to check "if isEmpty(parameters.buildSteps)"
  # jobName: '' - use agentOs by default.
@ -73,16 +74,11 @@ jobs:
  pool:
    ${{ if ne(parameters.poolName, '') }}:
      name: ${{ parameters.poolName }}
-    ${{ if and(eq(parameters.poolName, ''), eq(parameters.agentOs, 'macOS')) }}:
-      vmImage: macOS-10.15
-    ${{ if and(eq(parameters.poolName, ''), eq(parameters.agentOs, 'Linux')) }}:
-      vmImage: ubuntu-18.04
-    ${{ if and(eq(parameters.poolName, ''), eq(parameters.agentOs, 'Windows')) }}:
-      vmImage: windows-latest
-      ${{ if ne(variables['System.TeamProject'], 'public') }}:
-        # This override makes the specified vmImage irrelevant.
-        name: NetCore1ESPool-Internal
-        demands: ImageOverride -equals Build.Server.Amd64.VS2019
+    vmImage: windows-latest
+    ${{ if ne(variables['System.TeamProject'], 'public') }}:
+      # This override makes the specified vmImage irrelevant.
+      name: NetCore1ESPool-Internal
+      demands: ImageOverride -equals 1es-windows-2019
  variables:
    AgentOsName: ${{ parameters.agentOs }}
    ASPNETCORE_TEST_LOG_MAXPATH: "200" # Keep test log file name length low enough for artifact zipping
@ -95,18 +91,27 @@ jobs:
      _SignType: real
    ${{ if or(ne(parameters.codeSign, 'true'), ne(variables['System.TeamProject'], 'internal'), eq(variables['Build.Reason'], 'PullRequest')) }}:
      _SignType: ''
+    ${{ if eq(parameters.runCodeQL3000, 'true') }}:
+      # Do not let CodeQL3000 Extension gate scan frequency.
+      Codeql.Cadence: 0
+      # Enable CodeQL3000 unconditionally so it may be run on any branch.
+      Codeql.Enabled: true
+      Codeql.SourceRoot: src
+      # CodeQL3000 needs this plumbed along as a variable to enable TSA.
+      Codeql.TSAEnabled: ${{ eq(variables['Build.Reason'], 'Schedule') }}
+      # Default expects tsaoptions.json under SourceRoot.
+      Codeql.TSAOptionsPath: '$(Build.SourcesDirectory)/.config/tsaoptions.json'
    ${{ insert }}: ${{ parameters.variables }}
  steps:
  - checkout: self
    clean: true
-  - ${{ if eq(parameters.agentOs, 'Windows') }}:
-    - task: NuGetCommand@2
-      displayName: 'Clear NuGet caches'
-      condition: succeeded()
-      inputs:
-        command: custom
-        arguments: 'locals all -clear'
-  - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows'), eq(parameters.codeSign, 'true')) }}:
+  - task: NuGetCommand@2
+    displayName: 'Clear NuGet caches'
+    condition: succeeded()
+    inputs:
+      command: custom
+      arguments: 'locals all -clear'
+  - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.codeSign, 'true')) }}:
    - task: MicroBuildSigningPlugin@2
      displayName: Install MicroBuild Signing plugin
      condition: and(succeeded(), in(variables['_SignType'], 'test', 'real'))
@ -116,18 +121,14 @@ jobs:
        feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
  - ${{ parameters.beforeBuild }}
  - ${{ if eq(parameters.buildSteps, '') }}:
-    - ${{ if eq(parameters.agentOs, 'Windows') }}:
-      - task: NuGetToolInstaller@1
-        displayName: 'Install NuGet.exe'
-      - task: NodeTool@0
-        displayName: Install Node 16.x
-        inputs:
-          versionSpec: 16.x
-      - script: .\build.cmd /p:SignType=$(_SignType) /p:Configuration=$(BuildConfiguration) $(BuildScriptArgs) /bl:artifacts/logs/build.binlog
-        displayName: Run build.cmd
-    - ${{ if ne(parameters.agentOs, 'Windows') }}:
-      - script: ./build.sh -ci -p:Configuration=$(BuildConfiguration) $(BuildScriptArgs)
-        displayName: Run build.sh
+    - task: NuGetToolInstaller@1
+      displayName: 'Install NuGet.exe'
+    - task: NodeTool@0
+      displayName: Install Node 16.x
+      inputs:
+        versionSpec: 16.x
+    - script: .\build.cmd /p:SignType=$(_SignType) /p:Configuration=$(BuildConfiguration) $(BuildScriptArgs) /bl:artifacts/logs/build.binlog
+      displayName: Run build.cmd
  - ${{ if ne(parameters.buildSteps, '') }}:
    - ${{ parameters.buildSteps }}
  - task: PublishTestResults@2
@ -153,7 +154,7 @@ jobs:
        artifactType: Container
        parallel: true
  - ${{ parameters.afterBuild }}
-  - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.agentOs, 'Windows'), eq(parameters.codeSign, 'true')) }}:
+  - ${{ if and(eq(variables['System.TeamProject'], 'internal'), eq(parameters.codeSign, 'true')) }}:
    - task: MicroBuildCleanup@1
      displayName: Cleanup MicroBuild tasks
      condition: always()