зеркало из https://github.com/microsoft/BuildXL.git
127 строки
5.1 KiB
YAML
127 строки
5.1 KiB
YAML
trigger: none
|
|
|
|
variables:
|
|
- name: BuildXL.LogsDirectory
|
|
value: $(Build.SourcesDirectory)\Out\Logs\pr-$(Build.BuildNumber)
|
|
- name: BuildXL.PreReleaseTag
|
|
value: pr.public.apiscan
|
|
- name: BuildXL.SemanticVersion
|
|
value: 0.0.$(Build.BuildNumber)
|
|
- name: BuildXL.Configuration
|
|
value: Release
|
|
- name: Codeql.Enabled
|
|
value: false
|
|
- name: ServiceConnection.ID
|
|
value: f8d656f9-65f2-4c67-93ba-fb4ec491e20e
|
|
|
|
jobs:
|
|
- job: APIScan
|
|
displayName: APIScan
|
|
timeoutInMinutes: 120
|
|
cancelTimeoutInMinutes: 1
|
|
pool:
|
|
name: BuildXL-DevOpsAgents-Selfhost
|
|
os: windows
|
|
steps:
|
|
- checkout: self
|
|
fetchDepth: 1
|
|
|
|
- template: /.azdo/common/journaling.yml # Enable journaling
|
|
- template: /.azdo/common/set-msvc-version.yml
|
|
|
|
# It should give us enough coverage to run with the default qualifier
|
|
# We only care to scan binaries we produce, so we are using an output filter pointing to the Out\Bin\$(BuildXL.Configuration)\win-x64 folder
|
|
- task: CmdLine@2
|
|
displayName: BuildXL (cscDebugType=pdbOnly)
|
|
inputs:
|
|
script: 'bxl.cmd -DeployConfig $(BuildXL.Configuration) /p:[Sdk.BuildXL]microsoftInternal=0 /p:[Sdk.BuildXL]cscDebugType=pdbOnly /logsDirectory:$(BuildXL.LogsDirectory) /p:[BuildXL.Branding]SemanticVersion=$(BuildXL.SemanticVersion) /p:[BuildXL.Branding]PrereleaseTag=$(BuildXL.PreReleaseTag) /logOutput:FullOutputOnWarningOrError /processRetries:3 Out\Bin\$(BuildXL.Configuration)\win-x64\*'
|
|
|
|
- task: PublishPipelineArtifact@1
|
|
displayName: Upload logs
|
|
condition: always()
|
|
continueOnError: True
|
|
inputs:
|
|
path: $(BuildXL.LogsDirectory)
|
|
artifactName: BuildXL logs
|
|
|
|
# Some of the DLLs in the BuildXL deployment correspond to stock libraries brought in via NuGet. We only want to scan our very own BuildXL DLLs, so
|
|
# we use the produced PDBs as an indicator of that. As a way to isolate them and only scan those, we use separate binaries & symbols directories, where only
|
|
# the identified DLLs are copied
|
|
- powershell: |
|
|
$bxlDir = '$(Build.SourcesDirectory)\Out\Bin\Release\win-x64'
|
|
$binariesDir = '$(Agent.TempDirectory)\APIScan\Binaries'
|
|
$symbolsDir = '$(Agent.TempDirectory)\APIScan\Symbols'
|
|
|
|
New-Item -Path $binariesDir -ItemType Directory
|
|
New-Item -Path $symbolsDir -ItemType Directory
|
|
|
|
# Get all the .pdb, .dll and .exe files from bxlDir recursively
|
|
$pdbFiles = Get-ChildItem -Path $bxlDir -Filter "*.pdb" -Recurse
|
|
$dllFiles = Get-ChildItem -Path $bxlDir -Filter "*.dll" -Recurse
|
|
|
|
Write-Host "Copying files from '$($bxlDir)' to '$($symbolsDir)'"
|
|
|
|
# Copy all .pdb files to symbolsDir
|
|
$pdbFiles | ForEach-Object {
|
|
Copy-Item -Path $_.FullName -Destination $symbolsDir
|
|
Write-Host "Copying '$($_.FullName)'"
|
|
}
|
|
|
|
# Loop through each .pdb file
|
|
# TODO: there might be dlls with duplicate name in nested directories that actually target different frameworks. We should maybe
|
|
# instead do a recursive copy preserving the dir structure and make apiscan perform a recursive scan
|
|
foreach ($pdbFile in $pdbFiles) {
|
|
# Check if there's a .dll or .exe file with the same name
|
|
$matchingDllFile = $dllFiles | Where-Object { $_.BaseName -eq $pdbFile.BaseName }
|
|
|
|
# Copy the matching .dll and files to binariesDir
|
|
if ($null -ne $matchingDllFile) {
|
|
Copy-Item -Path $matchingDllFile.FullName -Destination $binariesDir
|
|
Write-Host "Copying '$($matchingDllFile.FullName)'"
|
|
}
|
|
}
|
|
failOnStderr: true
|
|
displayName: 'Prepare binary and symbol file'
|
|
continueOnError: false
|
|
|
|
- task: AzureCLI@2
|
|
displayName: 'Get service connection details'
|
|
inputs:
|
|
azureSubscription: 'BuildXL - APIScan'
|
|
addSpnToEnvironment: true
|
|
scriptType: bash
|
|
scriptLocation: 'inlineScript'
|
|
inlineScript: |
|
|
echo "##vso[task.setvariable variable=APIScan-clientId;]$servicePrincipalId"
|
|
echo "##vso[task.setvariable variable=APIScan-tenantId;]$tenantId"
|
|
|
|
- task: APIScan@2
|
|
displayName: 'Run APIScan via Guardian'
|
|
env:
|
|
AzureServicesAuthConnectionString: RunAs=App;AppId=$(APIScan-clientId);TenantId=$(APIScan-tenantId);ServiceConnectionId=$(ServiceConnection.ID);
|
|
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
|
|
inputs:
|
|
softwareFolder: '$(Agent.TempDirectory)\APIScan\Binaries'
|
|
softwareName: 'BuildXL'
|
|
softwareVersionNum: '$(BuildXL.SemanticVersion)'
|
|
softwareBuildNum: '$(Build.BuildId)'
|
|
symbolsFolder: 'SRV*https://symweb.azurefd.net;$(Agent.TempDirectory)\APIScan\Symbols'
|
|
azureSubscription: 'BuildXL - APIScan'
|
|
|
|
- task: PostAnalysis@2
|
|
continueOnError: true
|
|
inputs:
|
|
GdnBreakAllTools: false
|
|
GdnBreakGdnToolApiScan: true
|
|
GdnBreakGdnToolApiScanSeverity: 'Warning'
|
|
|
|
|
|
# Publish the analysis artifacts
|
|
- task: PublishSecurityAnalysisLogs@3
|
|
condition: always()
|
|
inputs:
|
|
ArtifactName: 'CodeAnalysisLog'
|
|
ArtifactType: 'Container'
|
|
AllTools: false
|
|
APIScan: true
|
|
ToolLogsNotFoundAction: 'Standard' |