microsoft
/
v8-jsi
зеркало из https://github.com/microsoft/v8-jsi.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Enable 1ES PT pipeline for V8 (#187)

This commit is contained in:
Danny van Velzen 2023-10-27 09:22:24 -07:00 коммит произвёл GitHub
Родитель 39fbd9f628
Коммит 559e188e3d
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
5 изменённых файлов: 177 добавлений и 69 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

77
.ado/guardian/sdl/.gdnbaselines Normal file
Просмотреть файл

@ -0,0 +1,77 @@
{
"hydrated": false,
"properties": {
"helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/baselines",
"hydrationStatus": "This file does not contain identifying data. It is safe to check into your repo. To hydrate this file with identifying data, run `guardian hydrate --help` and follow the guidance."
},
"version": "1.0.0",
"baselines": {
"guardian-baseline": {
"name": "guardian-baseline",
"createdDate": "2023-10-21 02:08:05Z",
"lastUpdatedDate": "2023-10-21 02:08:05Z"
}
},
"results": {
"0c9bea3e0ba4ec1f9f412df1d9116cda3781b5f120c9c268bb38c53a60873a6b": {
"signature": "0c9bea3e0ba4ec1f9f412df1d9116cda3781b5f120c9c268bb38c53a60873a6b",
"alternativeSignatures": [
"d388e5517024dc10e219f9ca342f0884e28b46aae2e92b5537e52fe93e7440c4"
],
"memberOf": [
"guardian-baseline"
],
"createdDate": "2023-10-21 02:08:05Z"
},
"844ac8bd279863c0714bef8a8d5458a853e1d7d0afcd6f8fb042c895af9b9c99": {
"signature": "844ac8bd279863c0714bef8a8d5458a853e1d7d0afcd6f8fb042c895af9b9c99",
"alternativeSignatures": [
"de276c1956f6cad7acc9765c7a1127a126d525b45cf9f6a7ce277a47997a7fdc"
],
"memberOf": [
"guardian-baseline"
],
"createdDate": "2023-10-21 02:08:05Z"
},
"2133282a9767561d4a3199f40d102d50c276a40c713ff51873b15b4ccc2528e2": {
"signature": "2133282a9767561d4a3199f40d102d50c276a40c713ff51873b15b4ccc2528e2",
"alternativeSignatures": [
"ceb49633d687c3be368840b3302478e053bb885169e33ae4584c212ef0ca96ae"
],
"memberOf": [
"guardian-baseline"
],
"createdDate": "2023-10-21 02:08:05Z"
},
"a635e094fa0297b9c8c002484e334ecce0e66ec494a15ccf740ff74c74820e9b": {
"signature": "a635e094fa0297b9c8c002484e334ecce0e66ec494a15ccf740ff74c74820e9b",
"alternativeSignatures": [
"b83062005ae1d65bfaa76c66029ecb5b21395b435db7e98f0a50f2bb9ad8725a"
],
"memberOf": [
"guardian-baseline"
],
"createdDate": "2023-10-21 02:08:05Z"
},
"ed3f0398be556ba4a84a6b2e4d664c79f345adfb13f6a6a284ed7cd341b28dc5": {
"signature": "ed3f0398be556ba4a84a6b2e4d664c79f345adfb13f6a6a284ed7cd341b28dc5",
"alternativeSignatures": [
"920e5ba1bfb73b3cdd3865260c2aa6d1d541b45f2811d8e7a83ef65f9346dc68"
],
"memberOf": [
"guardian-baseline"
],
"createdDate": "2023-10-21 02:08:05Z"
},
"8601ac212ffa5688ac5bd7c90c88c6821801db1c12aaa238bf8f0b5ddb997cb8": {
"signature": "8601ac212ffa5688ac5bd7c90c88c6821801db1c12aaa238bf8f0b5ddb997cb8",
"alternativeSignatures": [
"e2056c1150375f38dc46635a15a0ed40c3c626ff43e433d5c16f03b72d22934e"
],
"memberOf": [
"guardian-baseline"
],
"createdDate": "2023-10-21 02:08:05Z"
}
}
}

75
.ado/windows-build.yml
Просмотреть файл

@ -3,6 +3,9 @@ parameters:
type: string
- name: outputPath
type: string
- name: isPublish
type: boolean
default : false
steps:
- task: PowerShell@2
@ -35,6 +38,13 @@ steps:
-Configuration:$(BuildConfiguration)
-AppPlatform:${{parameters.appPlatform}}
- script: |
dir build\v8\buildtools\reclient\scandeps_server.exe
taskkill -f -im scandeps_server.exe
attrib -r build\v8\buildtools\reclient\scandeps_server.exe
del build\v8\buildtools\reclient\scandeps_server.exe
displayName: Delete build infrastructure file, for compliant tooling
- powershell: |
$vsExtensionPath="${env:ProgramFiles}\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\Extensions\";
Write-Host "Searching for Google Test Adapter Path in '$vsExtensionPath'"
@ -60,35 +70,36 @@ steps:
vsTestVersion: latest
condition: and(succeeded(), not(startsWith(variables.BuildPlatform, 'arm')))
- task: ComponentGovernanceComponentDetection@0
inputs:
ignoreDirectories: 'build\depot_tools'
- script: mkdir ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
displayName: 📒 Prep Manifest
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: 📒 Generate Manifest
inputs:
BuildDropPath: ${{parameters.outputPath}}
ManifestDirPath: ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
# Guardian does not handle custom builds, so manually running Binskim
- task: BinSkim@3
displayName: Run Binskim Analysis
inputs:
InputType: 'Basic'
Function: 'analyze'
AnalyzeTarget: $(Build.ArtifactStagingDirectory)/**/*.dll
AnalyzeVerbose: true
toolVersion: 'LatestPreRelease'
continueOnError: true
condition: and(eq(variables.BuildConfiguration, 'Release'), not(eq(variables.BuildPlatform, 'arm64')))
- task: PublishBuildArtifacts@1
displayName: "Publish artifacts"
inputs:
artifactName: V8Jsi
pathtoPublish: ${{parameters.outputPath}}
- task: ComponentGovernanceComponentDetection@0
- ${{ if not(parameters.isPublish) }}:
- task: ComponentGovernanceComponentDetection@0
inputs:
ignoreDirectories: 'build\depot_tools'
- script: mkdir ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
displayName: 📒 Prep Manifest
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: 📒 Generate Manifest
inputs:
BuildDropPath: ${{parameters.outputPath}}
ManifestDirPath: ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
# Guardian does not handle custom builds, so manually running Binskim
- task: BinSkim@3
displayName: Run Binskim Analysis
inputs:
InputType: 'Basic'
Function: 'analyze'
AnalyzeTarget: $(Build.ArtifactStagingDirectory)/**/*.dll
AnalyzeVerbose: true
toolVersion: 'LatestPreRelease'
continueOnError: true
condition: and(eq(variables.BuildConfiguration, 'Release'), not(eq(variables.BuildPlatform, 'arm64')))
- task: PublishBuildArtifacts@1
displayName: "Publish artifacts"
inputs:
artifactName: V8Jsi
pathtoPublish: ${{parameters.outputPath}}
- task: ComponentGovernanceComponentDetection@0

31
.ado/windows-ci.yml
Просмотреть файл

@ -11,11 +11,15 @@ trigger:
- README.md
- docs/*
pool: OE-OfficePublic
resources:
repositories:
- repository: OfficePipelineTemplates
type: git
name: 1ESPipelineTemplates/OfficePipelineTemplates
ref: refs/tags/release
variables:
- group: V8-Jsi Secrets
- group: InfoSec-SecurityResults
- name: ArtifactServices.Symbol.AccountName
value: microsoft
- name: ArtifactServices.Symbol.PAT
@ -23,5 +27,24 @@ variables:
- name: tags
value: production,externalfacing
jobs:
- template: windows-jobs.yml
extends:
template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates
parameters:
pool:
name: Azure-Pipelines-1ESPT-ExDShared
image: windows-latest
os: windows
sdl:
baseline:
baselineFile: $(Build.SourcesDirectory)\.ado\guardian\SDL\.gdnbaselines
eslint:
enableExclusions: true
# This repo does not ship any javascript code. But has many test cases for the js engine that fail parsing, have code considered insecure and crash eslint.
exclusionPatterns: |
'**/*.[jt]s'
stages:
- stage: main
jobs:
- template: .ado/windows-jobs.yml@self
parameters:
isPublish: true

41
.ado/windows-jobs.yml
Просмотреть файл

@ -1,3 +1,8 @@
parameters:
- name: isPublish
type: boolean
default : false
jobs:
- job: V8JsiBuild
timeoutInMinutes: 300
@ -31,7 +36,12 @@ jobs:
BuildConfiguration: Release
BuildPlatform: arm64
AppPlatform: win32
${{ if parameters.isPublish }}:
templateContext:
outputs:
- output: buildArtifacts
PathtoPublish: $(Build.ArtifactStagingDirectory)
ArtifactName: V8Jsi
steps:
- task: UsePythonVersion@0
inputs:
@ -43,12 +53,20 @@ jobs:
parameters:
outputPath: $(Build.ArtifactStagingDirectory)
appPlatform: $(AppPlatform)
isPublish: ${{ parameters.isPublish }}
- job: V8JsiPublishNuget
condition: not(eq(variables['Build.Reason'], 'PullRequest'))
dependsOn:
- V8JsiBuild
displayName: Publish Nuget
${{ if not(parameters.isPublish) }}:
templateContext:
outputs:
- output: pipelineArtifact
targetPath: $(System.DefaultWorkingDirectory)\NugetRootFinal
artifactName: "V8Jsi-final-nuget"
steps:
- checkout: none
@ -96,14 +114,15 @@ jobs:
}
displayName: Verify NuGet packages creation
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: 📒 Generate Manifest NuGet
condition: not(eq(variables['Build.Reason'], 'PullRequest'))
inputs:
BuildDropPath: $(System.DefaultWorkingDirectory)\NugetRootFinal
- ${{ if not(parameters.isPublish) }}:
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
displayName: 📒 Generate Manifest NuGet
condition: not(eq(variables['Build.Reason'], 'PullRequest'))
inputs:
BuildDropPath: $(System.DefaultWorkingDirectory)\NugetRootFinal
- task: PublishBuildArtifacts@1
displayName: "Publish final nuget artifacts"
inputs:
PathtoPublish: $(System.DefaultWorkingDirectory)\NugetRootFinal
ArtifactName: "V8Jsi-final-nuget"
- task: PublishBuildArtifacts@1
displayName: "Publish final nuget artifacts"
inputs:
PathtoPublish: $(System.DefaultWorkingDirectory)\NugetRootFinal
ArtifactName: "V8Jsi-final-nuget"

22
GuardianCustomConfiguration.json
Просмотреть файл

@ -1,22 +0,0 @@
{
"Enabled": true,
"Tools": {
"CredScan": {
"Enabled": true
},
"ESLint": {
"Enabled": false,
"_justification": "The only js and ts files are under src/napi/test/js-native-api which don't ship and need to test all patterns of the js engine causing false positives and even crashes in eslint."
},
"BinSkim": {
"Enabled": true,
"Inputs": {
"AnalyzeTargetGlob": "",
"AnalyzeSymPath": ""
}
},
"SDLNativeRules": {
"Enabled": true
}
}
}