зеркало из https://github.com/microsoft/PTVS.git
248 строки
9.4 KiB
YAML
248 строки
9.4 KiB
YAML
# This pipeline is used to perform policy and compliance tasks on the PTVS codebase.
|
|
# For more information about the suite of tools used, see https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/secure-development-tools-extension-for-azure-devops
|
|
|
|
parameters:
|
|
- name: pylanceVersion
|
|
displayName: Pylance Version
|
|
type: string
|
|
default: latest
|
|
- name: debugpyVersion
|
|
displayName: Debugpy Version
|
|
type: string
|
|
default: latest
|
|
|
|
# Build number format
|
|
name: $(date:yy)$(DayOfYear)$(rev:.r)
|
|
|
|
# Don't trigger ci or pr builds
|
|
trigger: none
|
|
pr: none
|
|
|
|
# Trigger builds on a nightly schedule, as long as there are changes
|
|
# Ignore the azure-pipelines.yml, since that's a different pipeline
|
|
# All times are in UTC, so 8AM = Midnight PST
|
|
schedules:
|
|
- cron: "0 8 * * *"
|
|
displayName: Nightly build
|
|
branches:
|
|
include:
|
|
- main
|
|
|
|
jobs:
|
|
|
|
- job: Compliance
|
|
timeoutInMinutes: 0 # maximum timeout, some compliance tasks take a long time to run
|
|
|
|
# The agent pool the build will run on
|
|
pool:
|
|
name: VSEngSS-MicroBuild2022-1ES
|
|
demands:
|
|
- msbuild
|
|
- VisualStudio_17.0
|
|
|
|
# Job variables
|
|
variables:
|
|
- name: CopyTestData
|
|
value: false
|
|
|
|
# PTVS variable group
|
|
# This contains variables shared between various PTVS pipelines
|
|
- group: PTVS-Dev17
|
|
|
|
steps:
|
|
|
|
# Check out code clean from source control
|
|
- checkout: self
|
|
clean: true
|
|
|
|
# Install plugins needed for swixproj/vsmanproj and signing
|
|
# We don't use Build/templates/install_microbuild_plugins.yml here because this project doesn't need to real sign
|
|
- task: MicroBuildSwixPlugin@3
|
|
displayName: 'Install microbuild swix plugin'
|
|
|
|
# Restore packages and install dependencies (pylance, debugpy)
|
|
- template: Build/templates/restore_packages.yml
|
|
parameters:
|
|
pylanceVersion: ${{ parameters.pylanceVersion }}
|
|
debugpyVersion: ${{ parameters.debugpyVersion }}
|
|
|
|
# Clean the Guardian temp files
|
|
- powershell: Get-ChildItem -Path $env:TEMP -Filter 'MpCmdRun.*' -Recurse -ErrorAction SilentlyContinue | Remove-Item -Recurse -Force
|
|
displayName: Clean guardian temp files
|
|
continueOnError: true
|
|
|
|
- powershell: npm i -g npm@8
|
|
displayName: downgrade npm
|
|
|
|
# Update node
|
|
# See https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/tool/node-js?view=azure-devops
|
|
- task: NodeTool@0
|
|
displayName: Update node
|
|
inputs:
|
|
versionSpec: '14.x'
|
|
|
|
- task: UsePythonVersion@0
|
|
displayName: 'Use Python 3.x'
|
|
|
|
# Initialize CodeQL before the build
|
|
# See https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/1761/Static-Analysis and
|
|
# https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/codeql/configuring-codeql3000-ado-pipelines
|
|
- task: CodeQL3000Init@0
|
|
displayName: Initialize CodeQL
|
|
inputs:
|
|
Enabled: true
|
|
Language: python,csharp,cpp
|
|
TSAEnabled: true
|
|
TSAOptionsPath: $(Build.SourcesDirectory)\TsaConfig.json
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Build and publish logs
|
|
- template: Build/templates/build.yml
|
|
|
|
# Finalize CodeQL after the build
|
|
- task: CodeQL3000Finalize@0
|
|
displayName: Finalize CodeQL
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Anti-Malware Scan of build sources and/or artifacts
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/antimalware-scan-build-task
|
|
- task: AntiMalware@4
|
|
displayName: 'Run Antivirus on Source'
|
|
inputs:
|
|
FileDirPath: $(Build.SourcesDirectory)
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
- task: AntiMalware@4
|
|
displayName: Run Antivirus on Binaries
|
|
inputs:
|
|
FileDirPath: $(Build.BinariesDirectory)
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Copy files for Scanning
|
|
- task: CopyFiles@2
|
|
displayName: 'Copy Files for Scanning'
|
|
inputs:
|
|
SourceFolder: $(Build.BinariesDirectory)
|
|
Contents: |
|
|
layout\Microsoft.CookiecutterTools\Microsoft.CookiecutterTools.*
|
|
layout\Microsoft.PythonTools.Core\Microsoft.PythonTools.*
|
|
layout\Microsoft.PythonTools.Core\PyDebugAttach*.*
|
|
layout\Microsoft.PythonTools.Debugger.VCLauncher\Microsoft.PythonTools.*
|
|
layout\Microsoft.PythonTools.Django\Microsoft.PythonTools.*
|
|
layout\Microsoft.PythonTools.Profiling\Microsoft.PythonTools.*
|
|
layout\Microsoft.PythonTools.Profiling\VsPyProf*.*
|
|
TargetFolder: $(Agent.TempDirectory)\FilesToScan
|
|
|
|
# Analyze python files for common vulnerabilities
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/bandit-build-task
|
|
- task: Bandit@1
|
|
displayName: 'Run Bandit'
|
|
inputs:
|
|
targetsType: banditPattern
|
|
targetsBandit: '$(Build.SourcesDirectory)\Python\Product'
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Analyze binaries for security vulnerabilities
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/binskim-build-task
|
|
- task: BinSkim@4
|
|
displayName: Run BinSkim
|
|
inputs:
|
|
# Use the same files copied for ApiScan
|
|
TargetPattern: binskimPattern
|
|
AnalyzeTargetBinskim: |
|
|
$(Agent.TempDirectory)\FilesToScan\*.dll
|
|
$(Agent.TempDirectory)\FilesToScan\*.exe
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Run component governance detection
|
|
# See http://aka.ms/cgdocs for more info
|
|
- task: ComponentGovernanceComponentDetection@0
|
|
displayName: Run Component Detection
|
|
inputs:
|
|
scanType: 'Register'
|
|
verbosity: 'Verbose'
|
|
alertWarningLevel: 'High'
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Analyze source and build output text files for credentials
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/credscan-azure-devops-build-task
|
|
- task: CredScan@2
|
|
displayName: Run CredScan
|
|
inputs:
|
|
toolMajorVersion: V2
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Scan C/C++ for security vulnerabilities
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/flawfinder-build-task
|
|
- task: Flawfinder@2
|
|
displayName: 'Run Flawfinder'
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Scan text elements including code, code comments, and content/web pages, for sensitive terms based on legal, cultural, or geopolitical reasons
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/policheck-build-task
|
|
- task: PoliCheck@2
|
|
displayName: Run PoliCheck
|
|
inputs:
|
|
optionsFC: 1 # Enables scanning of comments
|
|
optionsUEPATH: $(Build.SourcesDirectory)\Build\PoliCheckExclusions.xml
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Analyze unmanaged C/C++ code for security vulnerabilities
|
|
# https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/prefast-build-task
|
|
- task: SDLNativeRules@2
|
|
displayName: Run PREfast SDL Native Rules for MSBuild
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
- task: MicroBuildCleanup@1
|
|
displayName: MicroBuild cleanup
|
|
continueOnError: True
|
|
|
|
# Generate security analysis report
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/security-analysis-report-build-task
|
|
- task: SdtReport@1
|
|
displayName: Create Security Analysis Report
|
|
inputs:
|
|
AllTools: true
|
|
BinSkimBreakOn: WarningAbove
|
|
PoliCheckBreakOn: Severity4Above
|
|
RoslynAnalyzersBreakOn: WarningAbove
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Publish security analysis logs
|
|
- task: PublishSecurityAnalysisLogs@2
|
|
displayName: Publish Security Analysis Logs
|
|
condition: succeededOrFailed()
|
|
continueOnError: True
|
|
|
|
# Copy sdt logs for publishing
|
|
- task: CopyFiles@2
|
|
displayName: Save SDT logs to Staging Directory
|
|
inputs:
|
|
SourceFolder: $(Agent.BuildDirectory)\_sdt
|
|
TargetFolder: $(Build.StagingDirectory)
|
|
|
|
# Publish staging artifacts
|
|
- task: PublishBuildArtifacts@1
|
|
displayName: Publish Staging Directory
|
|
inputs:
|
|
PathtoPublish: $(Build.StagingDirectory)
|
|
|
|
# Upload results to TSA
|
|
# See https://eng.ms/docs/security-compliance-identity-and-management-scim/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/sdl-azdo-extension/tsa-upload-build-task
|
|
- task: TSAUpload@2
|
|
displayName: TSA Upload
|
|
inputs:
|
|
GdnPublishTsaOnboard: True
|
|
GdnPublishTsaConfigFile: $(Build.SourcesDirectory)\TsaConfig.json
|