зеркало из https://github.com/microsoft/BuildXL.git
Merged PR 705313: Promoting credential scanner warnings to errors fix
Adding back the functionality to promote credscan warnings to errors.
This commit is contained in:
Sahiti Chandramouli
Родитель
c0cba093eb
Коммит
a4d635c711
|
|
@ -322,7 +322,7 @@ namespace BuildXL
|
|||
"cpuResourceAware",
|
||||
sign => schedulingConfiguration.CpuResourceAware = sign),
|
||||
OptionHandlerFactory.CreateOption(
|
||||
"credScanEnvironmentVariablesAllowList",
|
||||
"credentialScanEnvironmentVariablesAllowList",
|
||||
opt => frontEndConfiguration.CredScanEnvironmentVariablesAllowList.AddRange(CommandLineUtilities.ParseRepeatingOption(opt, ";", v => v.Trim()))),
|
||||
OptionHandlerFactory.CreateOption(
|
||||
"criticalCommitUtilizationPercentage",
|
||||
|
|
|
|||
|
|
@ -1569,18 +1569,12 @@ namespace IntegrationTest.BuildXL.Scheduler
|
|||
var builder = CreatePipBuilderWithEnvironment(ops, environmentVariables: new Dictionary<string, (string, bool)>() { [envVarKey] = (envVarValue, isPassThrough) });
|
||||
SchedulePipBuilder(builder);
|
||||
|
||||
var result = RunScheduler().AssertSuccess();
|
||||
|
||||
// This event is logged when a credential is detected in the env variables.
|
||||
AssertVerboseEventLogged(PipsTracingLogEventId.CredentialsDetectedInEnvVar, expectCredentialDetected ? 1 : 0);
|
||||
|
||||
// TODO Bug #2034799
|
||||
/*
|
||||
var result = expectCredentialDetected ? RunScheduler().AssertFailure() : RunScheduler().AssertSuccess();
|
||||
|
||||
// This event is logged when a credential is detected in the env variables.
|
||||
AssertErrorEventLogged(PipsTracingLogEventId.CredentialsDetectedInEnvVar, expectCredentialDetected ? 1 : 0);
|
||||
*/
|
||||
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
@ -1609,9 +1603,7 @@ namespace IntegrationTest.BuildXL.Scheduler
|
|||
RunScheduler().AssertSuccess();
|
||||
|
||||
// This event should not be logged when environment variable is passed via /credScanEnvironmentVariablesAllowList.
|
||||
AssertVerboseEventLogged(PipsTracingLogEventId.CredentialsDetectedInEnvVar, 0);
|
||||
// TODO Promote CredScan violations to an error. Bug #2034799
|
||||
// AssertErrorEventLogged(PipsTracingLogEventId.CredentialsDetectedInEnvVar, 0);
|
||||
AssertErrorEventLogged(PipsTracingLogEventId.CredentialsDetectedInEnvVar, 0);
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -151,9 +151,7 @@ namespace BuildXL.Pips.Builders
|
|||
Logger.Log.CredScanDetection(m_loggingContext, tuple.process.GetDescription(context), tuple.envVarKey);
|
||||
}
|
||||
|
||||
return true;
|
||||
// TODO Promote CredScan violations to an error. Bug #2034799
|
||||
// return false;
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,12 +32,9 @@ namespace BuildXL.Pips.Tracing
|
|||
[GeneratedEvent(
|
||||
(ushort)LogEventId.CredentialsDetectedInEnvVar,
|
||||
EventGenerators = EventGenerators.LocalOnly,
|
||||
EventLevel = Level.Verbose,
|
||||
Keywords = (int)Keywords.UserMessage,
|
||||
// TODO Promote CredScan violations to an error. Bug #2034799
|
||||
// EventLevel = Level.Error,
|
||||
// Keywords = (int)(Keywords.UserMessage | Keywords.UserError),
|
||||
Message = "[{pipDescription}] Capturing secrets in the build graph is insecure. The following environment variables - '{envVarName}' either need to be removed or made passthrough. For false positives, specify the variable name in /credentialScanEnvironmentVariablesAllowList on the command line.")]
|
||||
EventLevel = Level.Error,
|
||||
Keywords = (int)(Keywords.UserMessage | Keywords.UserError),
|
||||
Message = "[{pipDescription}] Capturing secrets in the build graph is insecure. The following environment variables - '{envVarName}' either need to be removed or made passthrough. For false positives, specify the variable name in /credScanEnvironmentVariablesAllowList on the command line.")]
|
||||
public abstract void CredScanDetection(LoggingContext context, string pipDescription, string envVarName);
|
||||
|
||||
[GeneratedEvent(
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче