49601674: [Compliance] Enabled automated APIScan and PREfast scanning (#4326)

build/AzurePipelinesTemplates/WindowsAppSDK-Build-Stage.yml

@@ -5,6 +5,9 @@ parameters:
 - name: "IsOneBranch"
   type: boolean
   default: True
+- name: runStaticAnalysis
+  type: boolean
+  default: True
 
 stages:
 - stage: Build
@@ -52,11 +55,15 @@ stages:
       ob_outputDirectory: '$(REPOROOT)\out'
       ob_sdl_codeSignValidation_excludes: '-|**\Release\**;-|**\packages\**'
       ob_artifactBaseName: "FoundationBinaries_$(buildConfiguration)_$(buildPlatform)"
+      ob_sdl_apiscan_enabled: true
+      ob_sdl_apiscan_softwareFolder: '$(build.SourcesDirectory)\APIScanTarget'
+      ob_sdl_apiscan_symbolsFolder: '$(build.SourcesDirectory)\APIScanTarget;SRV*http://symweb'
     steps:
     - template: WindowsAppSDK-BuildBinaries-Steps.yml@self
       parameters:
         SignOutput: ${{ parameters.SignOutput }}
         IsOneBranch: ${{ parameters.IsOneBranch }}
+        runStaticAnalysis : ${{ parameters.runStaticAnalysis }}
 
   - job: BuildBinaries_release_anycpu
     # For now, this job just builds Microsoft.WindowsAppRuntime.Bootstrap.Net.dll in AnyCPU
@@ -72,11 +79,15 @@ stages:
       ob_outputDirectory: '$(REPOROOT)\out'
       ob_sdl_codeSignValidation_excludes: '-|**\Release\**'
       ob_artifactBaseName: "FoundationBinaries_release_anycpu"
+      ob_sdl_apiscan_enabled: true
+      ob_sdl_apiscan_softwareFolder: '$(build.SourcesDirectory)\BuildOutput\Release\AnyCPU'
+      ob_sdl_apiscan_symbolsFolder: '$(build.SourcesDirectory)\BuildOutput\Release\AnyCPU;SRV*http://symweb'
     steps:
     - template: WindowsAppSDK-BuildBinaries-AnyCPU-Steps.yml@self
       parameters:
         SignOutput: ${{ parameters.SignOutput }}
         IsOneBranch: ${{ parameters.IsOneBranch }}
+        runStaticAnalysis : ${{ parameters.runStaticAnalysis }}
 
   - job: BuildMRT
     pool:
@@ -111,8 +122,12 @@ stages:
       ob_sdl_suppression_suppressionFile: $(Build.SourcesDirectory)\dev\MRTCore\.gdn\mrt.gdnsuppress # This value is set on the job cdpx_engine, it will override the global gdnsuppress for this job
       ob_sdl_suppression_suppressionSet: default
       ob_artifactBaseName: "MrtBinaries_$(buildConfiguration)_$(buildPlatform)"
+      ob_sdl_apiscan_enabled: true
+      ob_sdl_apiscan_softwareFolder: '$(build.SourcesDirectory)\APIScanTarget'
+      ob_sdl_apiscan_symbolsFolder: '$(build.SourcesDirectory)\APIScanTarget;SRV*http://symweb'
     steps:
     - template: WindowsAppSDK-BuildMRT-Steps.yml@self
       parameters:
         SignOutput: ${{ parameters.SignOutput }}
         IsOneBranch: ${{ parameters.IsOneBranch }}
+        runStaticAnalysis : ${{ parameters.runStaticAnalysis }}

build/AzurePipelinesTemplates/WindowsAppSDK-BuildBinaries-AnyCPU-Steps.yml

@@ -5,6 +5,9 @@ parameters:
 - name: "IsOneBranch"
   type: boolean
   default: True
+- name: runStaticAnalysis
+  type: boolean
+  default: True
 
 steps:
 - task: NuGetToolInstaller@1
@@ -29,6 +32,16 @@ steps:
     filePath: 'BuildAll.ps1'
     arguments: -AzureBuildStep "BuildAnyCPU"
 
+- ${{ if eq(parameters.runStaticAnalysis, 'True') }}:
+  - task: SDLNativeRules@3
+    displayName: Run PREfast SDL Native Rules 
+    inputs:
+      setupCommandlines: '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat"'
+      msBuildCommandline: 'msbuild.exe /restore /nologo /nr:false $(Build.SourcesDirectory)\dev\Bootstrap\CS\Microsoft.WindowsAppRuntime.Bootstrap.Net\Microsoft.WindowsAppRuntime.Bootstrap.Net.csproj'
+    continueOnError: true
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+
 # component detection must happen *within* the build task
 - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
 

build/AzurePipelinesTemplates/WindowsAppSDK-BuildBinaries-Steps.yml

@@ -5,6 +5,9 @@ parameters:
 - name: "IsOneBranch"
   type: boolean
   default: True
+- name: runStaticAnalysis
+  type: boolean
+  default: True
 
 steps:
 - task: NuGetToolInstaller@1
@@ -67,6 +70,46 @@ steps:
     filePath: 'BuildAll.ps1'
     arguments: -Platform "$(buildPlatform)" -Configuration "$(buildConfiguration)" -AzureBuildStep "BuildBinaries"
 
+- ${{ if eq(parameters.runStaticAnalysis, 'True') }}:
+  - task: SDLNativeRules@3
+    displayName: Run PREfast SDL Native Rules 
+    condition: and(succeeded(), eq(variables['buildConfiguration'], 'Release'), eq(variables['buildPlatform'], 'x64'))
+    inputs:
+      setupCommandlines: '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat"'
+      msBuildArchitecture: amd64
+      msBuildCommandline: 'msbuild.exe /restore /nologo /nr:false /p:configuration=Release /p:platform=x64 $(Build.SourcesDirectory)\WindowsAppRuntime.sln'
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+    continueOnError: true
+
+  # Copy build output to folder APIScanTarget for APIScan to scan later, in the mean time, exclude some folders/files.
+  - task: CopyFiles@2
+    displayName: Populate APIScanTarget
+    condition: and(succeeded(), eq(variables['ob_sdl_apiscan_enabled'], 'true'))
+    inputs:
+      SourceFolder: '$(build.SourcesDirectory)\BuildOutput'
+      TargetFolder: '$(build.SourcesDirectory)\APIScanTarget'
+      contents: |
+        **
+        !**\*test*\**
+        !**\*Demoapp*\**
+        !**\*Demopackage\**
+        !**\*.json
+        !**\*.msix
+        !**\*.png
+        !**\*.binlog
+        !**\*.cs
+        !**\*.cpp
+        !**\*.idl
+        !**\*.h
+    continueOnError: true
+
+  #- script: |
+  #    dir /s $(Build.SourcesDirectory)\APIScanTarget
+  #  displayName: 'DIAG: dir $(Build.SourcesDirectory)\APIScanTarget'
+  #  condition: and(succeededOrFailed(), eq(variables['ob_sdl_apiscan_enabled'], 'true'))
+  #  continueOnError: true
+
 - ${{ if eq(parameters.SignOutput, 'true') }}:
   - task: EsrpCodeSigning@2
     inputs:

build/AzurePipelinesTemplates/WindowsAppSDK-BuildMRT-Steps.yml

@@ -5,9 +5,9 @@ parameters:
 - name: "IsOneBranch"
   type: boolean
   default: True
-- name: "RunPrefast"
+- name: runStaticAnalysis
   type: boolean
-  default: False
+  default: True
 
 steps:
 - template: WindowsAppSDK-SetupBuildEnvironment-Steps.yml
@@ -22,37 +22,6 @@ steps:
     compilerPackageVersion: $(compilerOverridePackageVersion)
     slnDirectory: $(Build.SourcesDirectory)\dev\MRTCore\mrt
 
-- ${{ if parameters.RunPrefast }}:
-  # PREFast scan is enabled in this pipeline run, so we pass PreFastSetup to BuildAll.ps1 to get it to do the commonn setup steps, but short of
-  # building the target via MSBuild.exe
-  - task: PowerShell@2
-    name: PreFastSetup
-    inputs:
-      filePath: 'BuildAll.ps1'
-      arguments: -Platform "$(buildPlatform)" -Configuration "$(buildConfiguration)" -AzureBuildStep "PreFastSetup"
-
-  # The PREFast task below only supports the VSBuild/MSbuild task, _not_ a direct call to MSBuild.exe.
-  - task: MSBuild@1
-    displayName: 'build MrtCore with MSBuild'
-    inputs:
-      platform: '$(buildPlatform)'
-      solution: '$(Build.SourcesDirectory)\dev\MRTCore\mrt\MrtCore.sln'
-      configuration: '$(buildConfiguration)'
-      msbuildArguments: '/restore /binaryLogger:$(Build.SourcesDirectory)\dev\MRTCore\mrt\mrtcore.$(buildPlatform).$(buildConfiguration).binlog'
-
-  # ToDo: WindowsAppSDK-BinaryAnalysis-steps.yml below ultimately invokes SDLNativeRules@2, which is out of support.
-  # So for the time being, we explicitly call SDLNativeRules@3, which is currently supported. Consider eliminating this
-  # extra step when we run PREFast as part of WindowsAppSDK-BinaryAnalysis-steps.yml below.
-  - task: SDLNativeRules@3
-    displayName: 'Guardian: PreFast@3'
-    env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-    continueOnError: true
-    inputs:
-      userProvideBuildInfo: 'auto'
-      toolVersion: Latest
-
-- ${{ if not( parameters.RunPrefast ) }}:
 - task: PowerShell@2
   name: BuildBinaries
   retryCountOnTaskFailure: 10
@@ -60,6 +29,38 @@ steps:
     filePath: 'BuildAll.ps1'
     arguments: -Platform "$(buildPlatform)" -Configuration "$(buildConfiguration)" -AzureBuildStep "BuildMRT"
 
+- ${{ if eq(parameters.runStaticAnalysis, 'True') }}:
+  - task: SDLNativeRules@3
+    displayName: Run PREfast SDL Native Rules 
+    condition: and(succeeded(), eq(variables['buildPlatform'], 'x64'), eq(variables['buildConfiguration'], 'Release'))
+    inputs:
+      setupCommandlines: '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsMSBuildCmd.bat"'
+      msBuildArchitecture: amd64
+      msBuildCommandline: 'msbuild.exe /nologo /nr:false /p:configuration=Release /p:platform=x64 $(Build.SourcesDirectory)\dev\MRTCore\mrt\MrtCore.sln'
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+    continueOnError: true
+
+  # Copy build output to folder APIScanTarget for APIScan to scan, in the mean time, exclude some folders/files.
+  - task: CopyFiles@2
+    displayName: Populate APIScanTarget
+    condition: and(succeeded(), eq(variables['ob_sdl_apiscan_enabled'], 'true'))
+    inputs:
+      SourceFolder: '$(build.SourcesDirectory)\BuildOutput'
+      TargetFolder: '$(build.SourcesDirectory)\APIScanTarget'
+      contents: |
+        **
+        !**\*test*\**
+        !**\*.binlog
+        !**\*.json
+    continueOnError: true
+
+  #- script: |
+  #    dir /s $(Build.SourcesDirectory)\APIScanTarget
+  #  displayName: 'DIAG: dir $(Build.SourcesDirectory)\APIScanTarget'
+  #  condition: and(succeededOrFailed(), eq(variables['ob_sdl_apiscan_enabled'], 'true'))
+  #  continueOnError: true
+
 # component detection must happen *within* the build task
 - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
 

build/WindowsAppSDK-Foundation-Nightly.yml

@@ -30,6 +30,10 @@ parameters:
 - name: "SignOutput"
   type: boolean
   default: True
+- name: runStaticAnalysis
+  displayName: "Run Static Analysis (e.g., PREFast, APIScan)"
+  type: boolean
+  default: True
 
 resources:
   repositories:
@@ -79,11 +83,32 @@ extends:
       policheck:
         enable: true
         break: true
+      binskim:
+        enabled: true
+        break: true
+      prefast:
+        ${{ if eq(parameters.runStaticAnalysis, 'True') }}:
+          enabled: true
+        ${{ else }}:
+          enabled: false
+        # TODO: Once we've cleared away all existing errors, consider setting this to true.
+        break: false
+        # Use "severity: 'Warning'" to be more sensitive, break on Warnings+Errors.
+        # Use "severity: 'Note'" to be even more sensitive, break on Notes+Warnings+Errors.
+        # Use "severity: 'Default'" to get back to default, i.e., break on Errors. Can't get less sensitive than that.
+        severity: Default
+        # Use "exclusionsFile: <<FILE PATH>>" to apply a local exclusion file.
+      apiscan:
+        # We will enable APIScan on a per-job basis downstream as needed.
+        enabled: false
+        # TODO: Once we've cleared away all existing errors, consider setting this to true.
+        break: false
 
     stages:
     - template: AzurePipelinesTemplates\WindowsAppSDK-Build-Stage.yml@self
       parameters:
         SignOutput: ${{ parameters.SignOutput }}
+        runStaticAnalysis : ${{ parameters.runStaticAnalysis }}
 
     - template: AzurePipelinesTemplates\WindowsAppSDK-Test-Stage.yml@self
 

build/WindowsAppSDK-Foundation-Official.yml

@@ -30,6 +30,10 @@ parameters:
 - name: "SignOutput"
   type: boolean
   default: True
+- name: runStaticAnalysis
+  displayName: "Run Static Analysis (e.g., PREFast, APIScan)"
+  type: boolean
+  default: True
 
 resources:
   repositories:
@@ -66,12 +70,30 @@ extends:
         enabled: false
       binskim:
         enabled: true
+        break: true
+      prefast:
+        ${{ if eq(parameters.runStaticAnalysis, 'True') }}:
+          enabled: true
+        ${{ else }}:
+          enabled: false
+        # TODO: Once we've cleared away all existing errors, consider setting this to true.
+        break: true
+        # Use "severity: 'Warning'" to be more sensitive, break on Warnings+Errors.
+        # Use "severity: 'Note'" to be even more sensitive, break on Notes+Warnings+Errors.
+        # Use "severity: 'Default'" to get back to default, i.e., break on Errors. Can't get less sensitive than that.
+        severity: Default
+        # Use "exclusionsFile: <<FILE PATH>>" to apply a local exclusion file.
+      apiscan:
+        # We will enable APIScan on a per-job basis downstream as needed.
+        enabled: false
+        # TODO: Once we've cleared away all existing errors, consider setting this to true.
         break: false
 
     stages:
     - template: AzurePipelinesTemplates\WindowsAppSDK-Build-Stage.yml@self
       parameters:
         SignOutput: ${{ parameters.SignOutput }}
+        runStaticAnalysis : ${{ parameters.runStaticAnalysis }}
 
     - template: AzurePipelinesTemplates\WindowsAppSDK-Test-Stage.yml@self
 

build/WindowsAppSDK-Foundation-PR.yml

@@ -20,6 +20,12 @@
 # https://aka.ms/obpipelines/triggers
 trigger: none
 
+parameters: # parameters are shown up in ADO UI in a build queue time
+- name: runStaticAnalysis
+  displayName: "Run Static Analysis (e.g., PREFast, APIScan)"
+  type: boolean
+  default: True
+
 resources:
   repositories:
     - repository: templates
@@ -54,11 +60,32 @@ extends:
       psscriptanalyzer:
         enable: true
         break: true
+      binskim:
+        enabled: true
+        break: true
+      prefast:
+        ${{ if eq(parameters.runStaticAnalysis, 'True') }}:
+          enabled: true
+        ${{ else }}:
+          enabled: false
+        # TODO: Once we've cleared away all existing errors, consider setting this to true.
+        break: false
+        # Use "severity: 'Warning'" to be more sensitive, break on Warnings+Errors.
+        # Use "severity: 'Note'" to be even more sensitive, break on Notes+Warnings+Errors.
+        # Use "severity: 'Default'" to get back to default, i.e., break on Errors. Can't get less sensitive than that.
+        severity: Default
+        # Use "exclusionsFile: <<FILE PATH>>" to apply a local exclusion file.
+      apiscan:
+        # We will enable APIScan on a per-job basis downstream as needed.
+        enabled: false
+        # TODO: Once we've cleared away all existing errors, consider setting this to true.
+        break: false
 
     stages:
     - template: AzurePipelinesTemplates\WindowsAppSDK-Build-Stage.yml@self
       parameters:
         SignOutput: false
+        runStaticAnalysis : ${{ parameters.runStaticAnalysis }}
 
     - template: AzurePipelinesTemplates\WindowsAppSDK-Test-Stage.yml@self