зеркало из https://github.com/microsoft/v8-jsi.git
Enable 1ES PT pipeline for V8 (#187)
This commit is contained in:
Родитель
39fbd9f628
Коммит
559e188e3d
|
@ -0,0 +1,77 @@
|
|||
{
|
||||
"hydrated": false,
|
||||
"properties": {
|
||||
"helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/baselines",
|
||||
"hydrationStatus": "This file does not contain identifying data. It is safe to check into your repo. To hydrate this file with identifying data, run `guardian hydrate --help` and follow the guidance."
|
||||
},
|
||||
"version": "1.0.0",
|
||||
"baselines": {
|
||||
"guardian-baseline": {
|
||||
"name": "guardian-baseline",
|
||||
"createdDate": "2023-10-21 02:08:05Z",
|
||||
"lastUpdatedDate": "2023-10-21 02:08:05Z"
|
||||
}
|
||||
},
|
||||
"results": {
|
||||
"0c9bea3e0ba4ec1f9f412df1d9116cda3781b5f120c9c268bb38c53a60873a6b": {
|
||||
"signature": "0c9bea3e0ba4ec1f9f412df1d9116cda3781b5f120c9c268bb38c53a60873a6b",
|
||||
"alternativeSignatures": [
|
||||
"d388e5517024dc10e219f9ca342f0884e28b46aae2e92b5537e52fe93e7440c4"
|
||||
],
|
||||
"memberOf": [
|
||||
"guardian-baseline"
|
||||
],
|
||||
"createdDate": "2023-10-21 02:08:05Z"
|
||||
},
|
||||
"844ac8bd279863c0714bef8a8d5458a853e1d7d0afcd6f8fb042c895af9b9c99": {
|
||||
"signature": "844ac8bd279863c0714bef8a8d5458a853e1d7d0afcd6f8fb042c895af9b9c99",
|
||||
"alternativeSignatures": [
|
||||
"de276c1956f6cad7acc9765c7a1127a126d525b45cf9f6a7ce277a47997a7fdc"
|
||||
],
|
||||
"memberOf": [
|
||||
"guardian-baseline"
|
||||
],
|
||||
"createdDate": "2023-10-21 02:08:05Z"
|
||||
},
|
||||
"2133282a9767561d4a3199f40d102d50c276a40c713ff51873b15b4ccc2528e2": {
|
||||
"signature": "2133282a9767561d4a3199f40d102d50c276a40c713ff51873b15b4ccc2528e2",
|
||||
"alternativeSignatures": [
|
||||
"ceb49633d687c3be368840b3302478e053bb885169e33ae4584c212ef0ca96ae"
|
||||
],
|
||||
"memberOf": [
|
||||
"guardian-baseline"
|
||||
],
|
||||
"createdDate": "2023-10-21 02:08:05Z"
|
||||
},
|
||||
"a635e094fa0297b9c8c002484e334ecce0e66ec494a15ccf740ff74c74820e9b": {
|
||||
"signature": "a635e094fa0297b9c8c002484e334ecce0e66ec494a15ccf740ff74c74820e9b",
|
||||
"alternativeSignatures": [
|
||||
"b83062005ae1d65bfaa76c66029ecb5b21395b435db7e98f0a50f2bb9ad8725a"
|
||||
],
|
||||
"memberOf": [
|
||||
"guardian-baseline"
|
||||
],
|
||||
"createdDate": "2023-10-21 02:08:05Z"
|
||||
},
|
||||
"ed3f0398be556ba4a84a6b2e4d664c79f345adfb13f6a6a284ed7cd341b28dc5": {
|
||||
"signature": "ed3f0398be556ba4a84a6b2e4d664c79f345adfb13f6a6a284ed7cd341b28dc5",
|
||||
"alternativeSignatures": [
|
||||
"920e5ba1bfb73b3cdd3865260c2aa6d1d541b45f2811d8e7a83ef65f9346dc68"
|
||||
],
|
||||
"memberOf": [
|
||||
"guardian-baseline"
|
||||
],
|
||||
"createdDate": "2023-10-21 02:08:05Z"
|
||||
},
|
||||
"8601ac212ffa5688ac5bd7c90c88c6821801db1c12aaa238bf8f0b5ddb997cb8": {
|
||||
"signature": "8601ac212ffa5688ac5bd7c90c88c6821801db1c12aaa238bf8f0b5ddb997cb8",
|
||||
"alternativeSignatures": [
|
||||
"e2056c1150375f38dc46635a15a0ed40c3c626ff43e433d5c16f03b72d22934e"
|
||||
],
|
||||
"memberOf": [
|
||||
"guardian-baseline"
|
||||
],
|
||||
"createdDate": "2023-10-21 02:08:05Z"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -3,6 +3,9 @@ parameters:
|
|||
type: string
|
||||
- name: outputPath
|
||||
type: string
|
||||
- name: isPublish
|
||||
type: boolean
|
||||
default : false
|
||||
|
||||
steps:
|
||||
- task: PowerShell@2
|
||||
|
@ -35,6 +38,13 @@ steps:
|
|||
-Configuration:$(BuildConfiguration)
|
||||
-AppPlatform:${{parameters.appPlatform}}
|
||||
|
||||
- script: |
|
||||
dir build\v8\buildtools\reclient\scandeps_server.exe
|
||||
taskkill -f -im scandeps_server.exe
|
||||
attrib -r build\v8\buildtools\reclient\scandeps_server.exe
|
||||
del build\v8\buildtools\reclient\scandeps_server.exe
|
||||
displayName: Delete build infrastructure file, for compliant tooling
|
||||
|
||||
- powershell: |
|
||||
$vsExtensionPath="${env:ProgramFiles}\Microsoft Visual Studio\2022\Enterprise\Common7\IDE\Extensions\";
|
||||
Write-Host "Searching for Google Test Adapter Path in '$vsExtensionPath'"
|
||||
|
@ -60,35 +70,36 @@ steps:
|
|||
vsTestVersion: latest
|
||||
condition: and(succeeded(), not(startsWith(variables.BuildPlatform, 'arm')))
|
||||
|
||||
- task: ComponentGovernanceComponentDetection@0
|
||||
inputs:
|
||||
ignoreDirectories: 'build\depot_tools'
|
||||
- ${{ if not(parameters.isPublish) }}:
|
||||
- task: ComponentGovernanceComponentDetection@0
|
||||
inputs:
|
||||
ignoreDirectories: 'build\depot_tools'
|
||||
|
||||
- script: mkdir ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
|
||||
displayName: 📒 Prep Manifest
|
||||
- script: mkdir ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
|
||||
displayName: 📒 Prep Manifest
|
||||
|
||||
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
|
||||
displayName: 📒 Generate Manifest
|
||||
inputs:
|
||||
BuildDropPath: ${{parameters.outputPath}}
|
||||
ManifestDirPath: ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
|
||||
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
|
||||
displayName: 📒 Generate Manifest
|
||||
inputs:
|
||||
BuildDropPath: ${{parameters.outputPath}}
|
||||
ManifestDirPath: ${{parameters.outputPath}}\_manifest\$(BuildPlatform)\$(BuildConfiguration)
|
||||
|
||||
# Guardian does not handle custom builds, so manually running Binskim
|
||||
- task: BinSkim@3
|
||||
displayName: Run Binskim Analysis
|
||||
inputs:
|
||||
InputType: 'Basic'
|
||||
Function: 'analyze'
|
||||
AnalyzeTarget: $(Build.ArtifactStagingDirectory)/**/*.dll
|
||||
AnalyzeVerbose: true
|
||||
toolVersion: 'LatestPreRelease'
|
||||
continueOnError: true
|
||||
condition: and(eq(variables.BuildConfiguration, 'Release'), not(eq(variables.BuildPlatform, 'arm64')))
|
||||
# Guardian does not handle custom builds, so manually running Binskim
|
||||
- task: BinSkim@3
|
||||
displayName: Run Binskim Analysis
|
||||
inputs:
|
||||
InputType: 'Basic'
|
||||
Function: 'analyze'
|
||||
AnalyzeTarget: $(Build.ArtifactStagingDirectory)/**/*.dll
|
||||
AnalyzeVerbose: true
|
||||
toolVersion: 'LatestPreRelease'
|
||||
continueOnError: true
|
||||
condition: and(eq(variables.BuildConfiguration, 'Release'), not(eq(variables.BuildPlatform, 'arm64')))
|
||||
|
||||
- task: PublishBuildArtifacts@1
|
||||
displayName: "Publish artifacts"
|
||||
inputs:
|
||||
artifactName: V8Jsi
|
||||
pathtoPublish: ${{parameters.outputPath}}
|
||||
- task: PublishBuildArtifacts@1
|
||||
displayName: "Publish artifacts"
|
||||
inputs:
|
||||
artifactName: V8Jsi
|
||||
pathtoPublish: ${{parameters.outputPath}}
|
||||
|
||||
- task: ComponentGovernanceComponentDetection@0
|
||||
- task: ComponentGovernanceComponentDetection@0
|
||||
|
|
|
@ -11,11 +11,15 @@ trigger:
|
|||
- README.md
|
||||
- docs/*
|
||||
|
||||
pool: OE-OfficePublic
|
||||
resources:
|
||||
repositories:
|
||||
- repository: OfficePipelineTemplates
|
||||
type: git
|
||||
name: 1ESPipelineTemplates/OfficePipelineTemplates
|
||||
ref: refs/tags/release
|
||||
|
||||
variables:
|
||||
- group: V8-Jsi Secrets
|
||||
- group: InfoSec-SecurityResults
|
||||
- name: ArtifactServices.Symbol.AccountName
|
||||
value: microsoft
|
||||
- name: ArtifactServices.Symbol.PAT
|
||||
|
@ -23,5 +27,24 @@ variables:
|
|||
- name: tags
|
||||
value: production,externalfacing
|
||||
|
||||
jobs:
|
||||
- template: windows-jobs.yml
|
||||
extends:
|
||||
template: v1/Office.Official.PipelineTemplate.yml@OfficePipelineTemplates
|
||||
parameters:
|
||||
pool:
|
||||
name: Azure-Pipelines-1ESPT-ExDShared
|
||||
image: windows-latest
|
||||
os: windows
|
||||
sdl:
|
||||
baseline:
|
||||
baselineFile: $(Build.SourcesDirectory)\.ado\guardian\SDL\.gdnbaselines
|
||||
eslint:
|
||||
enableExclusions: true
|
||||
# This repo does not ship any javascript code. But has many test cases for the js engine that fail parsing, have code considered insecure and crash eslint.
|
||||
exclusionPatterns: |
|
||||
'**/*.[jt]s'
|
||||
stages:
|
||||
- stage: main
|
||||
jobs:
|
||||
- template: .ado/windows-jobs.yml@self
|
||||
parameters:
|
||||
isPublish: true
|
|
@ -1,3 +1,8 @@
|
|||
parameters:
|
||||
- name: isPublish
|
||||
type: boolean
|
||||
default : false
|
||||
|
||||
jobs:
|
||||
- job: V8JsiBuild
|
||||
timeoutInMinutes: 300
|
||||
|
@ -31,7 +36,12 @@ jobs:
|
|||
BuildConfiguration: Release
|
||||
BuildPlatform: arm64
|
||||
AppPlatform: win32
|
||||
|
||||
${{ if parameters.isPublish }}:
|
||||
templateContext:
|
||||
outputs:
|
||||
- output: buildArtifacts
|
||||
PathtoPublish: $(Build.ArtifactStagingDirectory)
|
||||
ArtifactName: V8Jsi
|
||||
steps:
|
||||
- task: UsePythonVersion@0
|
||||
inputs:
|
||||
|
@ -43,12 +53,20 @@ jobs:
|
|||
parameters:
|
||||
outputPath: $(Build.ArtifactStagingDirectory)
|
||||
appPlatform: $(AppPlatform)
|
||||
isPublish: ${{ parameters.isPublish }}
|
||||
|
||||
- job: V8JsiPublishNuget
|
||||
condition: not(eq(variables['Build.Reason'], 'PullRequest'))
|
||||
dependsOn:
|
||||
- V8JsiBuild
|
||||
displayName: Publish Nuget
|
||||
${{ if not(parameters.isPublish) }}:
|
||||
templateContext:
|
||||
outputs:
|
||||
- output: pipelineArtifact
|
||||
targetPath: $(System.DefaultWorkingDirectory)\NugetRootFinal
|
||||
artifactName: "V8Jsi-final-nuget"
|
||||
|
||||
steps:
|
||||
- checkout: none
|
||||
|
||||
|
@ -96,14 +114,15 @@ jobs:
|
|||
}
|
||||
displayName: Verify NuGet packages creation
|
||||
|
||||
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
|
||||
displayName: 📒 Generate Manifest NuGet
|
||||
condition: not(eq(variables['Build.Reason'], 'PullRequest'))
|
||||
inputs:
|
||||
BuildDropPath: $(System.DefaultWorkingDirectory)\NugetRootFinal
|
||||
- ${{ if not(parameters.isPublish) }}:
|
||||
- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0
|
||||
displayName: 📒 Generate Manifest NuGet
|
||||
condition: not(eq(variables['Build.Reason'], 'PullRequest'))
|
||||
inputs:
|
||||
BuildDropPath: $(System.DefaultWorkingDirectory)\NugetRootFinal
|
||||
|
||||
- task: PublishBuildArtifacts@1
|
||||
displayName: "Publish final nuget artifacts"
|
||||
inputs:
|
||||
PathtoPublish: $(System.DefaultWorkingDirectory)\NugetRootFinal
|
||||
ArtifactName: "V8Jsi-final-nuget"
|
||||
- task: PublishBuildArtifacts@1
|
||||
displayName: "Publish final nuget artifacts"
|
||||
inputs:
|
||||
PathtoPublish: $(System.DefaultWorkingDirectory)\NugetRootFinal
|
||||
ArtifactName: "V8Jsi-final-nuget"
|
||||
|
|
|
@ -1,22 +0,0 @@
|
|||
{
|
||||
"Enabled": true,
|
||||
"Tools": {
|
||||
"CredScan": {
|
||||
"Enabled": true
|
||||
},
|
||||
"ESLint": {
|
||||
"Enabled": false,
|
||||
"_justification": "The only js and ts files are under src/napi/test/js-native-api which don't ship and need to test all patterns of the js engine causing false positives and even crashes in eslint."
|
||||
},
|
||||
"BinSkim": {
|
||||
"Enabled": true,
|
||||
"Inputs": {
|
||||
"AnalyzeTargetGlob": "",
|
||||
"AnalyzeSymPath": ""
|
||||
}
|
||||
},
|
||||
"SDLNativeRules": {
|
||||
"Enabled": true
|
||||
}
|
||||
}
|
||||
}
|
Загрузка…
Ссылка в новой задаче