[ci] Update tasks in code check job (#603)

2023-02-04 00:17:32 -06:00 · 2023-02-04 00:17:32 -06:00 · cfbb3763fa
--- a/.ci/build.yml
+++ b/.ci/build.yml
@ -40,6 +40,7 @@ parameters:
  namesFilter: ''                                           # [manifest, directories] the names of the items to build
  targetsFilter: 'ci'                                       # [manifest, directories] the targets of the items to build
  runCodeQL: 'false'
+  tsaOptionsPath: '$(Build.SourcesDirectory)/.ci/tsaoptions.json'

 jobs:
  - job: ${{ parameters.name }}
@ -50,7 +51,7 @@ jobs:
    variables:
      Codeql.Enabled: ${{ parameters.runCodeQL }}
      Codeql.TSAEnabled: true
-      Codeql.TSAOptionsPath: '.ci/tsaoptions.json'
+      Codeql.TSAOptionsPath: ${{ parameters.tsaOptionsPath }}
    pool:
      vmImage: ${{ parameters.macosImage }}
    steps:
@ -333,7 +334,7 @@ jobs:
  - ${{ if and(eq(parameters.runChecks, 'true'), eq(variables['System.TeamProject'], 'devdiv')) }}:
    - job: ${{ parameters.name }}_checks
      displayName: 'Run required code checks'
-      condition: eq('refs/heads/${{ parameters.masterBranchName }}', variables['Build.SourceBranch'])
+      condition: or(eq('refs/heads/${{ parameters.masterBranchName }}', variables['Build.SourceBranch']), eq('refs/heads/update-codecheck-tasks', variables['Build.SourceBranch']))
      pool:
        name: 'Hosted Windows 2019 with VS2019'
      steps:
@ -344,55 +345,44 @@ jobs:
            $CODEBASE_NAME = $repo + "_" + $branch
            echo "Using codebase: $CODEBASE_NAME"
            Write-Host "##vso[task.setvariable variable=CODEBASE_NAME]$CODEBASE_NAME"
-        - task: CredScan@2
+        - task: CredScan@3
          displayName: 'Analyze source for credentials'
+        - task: PoliCheck@2
          inputs:
-            toolMajorVersion: 'V2'
-        - task: PoliCheck@1
-          inputs:
-            inputType: 'Basic'
-            targetType: 'F'
-        - task: SdtReport@1
+            targetType: F
+            targetArgument: '$(Build.SourcesDirectory)'
+        - task: SdtReport@2
          displayName: 'Create security analysis report'
          inputs:
-            AllTools: false
-            APIScan: false
-            BinSkim: false
-            CodesignValidation: false
-            CredScan: true
-            FortifySCA: false
-            FxCop: false
-            ModernCop: false
-            MSRD: false
-            PoliCheck: true
-            RoslynAnalyzers: false
-            SDLNativeRules: false
-            Semmle: false
-            TSLint: false
-            ToolLogsNotFoundAction: 'Standard'
+            GdnExportAllTools: false
+            GdnExportGdnToolApiScan: false
+            GdnExportGdnToolArmory: false
+            GdnExportGdnToolBandit: false
+            GdnExportGdnToolBinSkim: false
+            GdnExportGdnToolCodesignValidation: false
+            GdnExportGdnToolCredScan: true
+            GdnExportGdnToolCredScanSeverity: 'Default'
+            GdnExportGdnToolCSRF: false
+            GdnExportGdnToolDetekt: false
+            GdnExportGdnToolESLint: false
+            GdnExportGdnToolFlawfinder: false
+            GdnExportGdnToolFortifySca: false
+            GdnExportGdnToolFxCop: false
+            GdnExportGdnToolGosec: false
+            GdnExportGdnToolModernCop: false
+            GdnExportGdnToolPoliCheck: true
+            GdnExportGdnToolPoliCheckSeverity: 'Default'
+            GdnExportGdnToolRoslynAnalyzers: false
+            GdnExportGdnToolPSScriptAnalyzer: false
+            GdnExportGdnToolSDLNativeRules: false
+            GdnExportGdnToolSemmle: false
+            GdnExportGdnToolSpotBugs: false
+            GdnExportGdnToolTSLint: false
        - task: PublishSecurityAnalysisLogs@3
          displayName: 'Publish security analysis logs'
-        - task: TSAUpload@1
+        - task: TSAUpload@2
          continueOnError: true
          inputs:
-            tsaVersion: 'TsaV2'
-            codebase: 'NewOrUpdate'
-            tsaEnvironment: 'PROD'
-            codeBaseName: '$(CODEBASE_NAME)'
-            notificationAlias: 'xamacomd@microsoft.com'
-            notifyAlwaysV2: false
-            instanceUrlForTsaV2: 'DEVDIV'
-            projectNameDEVDIV: 'DevDiv'
-            areaPath: '${{ parameters.areaPath }}'
-            iterationPath: 'DevDiv\Future Backlog'
-            uploadAPIScan: false
-            uploadBinSkim: false
-            uploadCredScan: true
-            uploadFortifySCA: false
-            uploadFxCop: false
-            uploadModernCop: false
-            uploadPoliCheck: true
-            uploadPREfast: false
-            uploadRoslyn: false
-            uploadTSLint: false
-            uploadAsync: true
+            GdnPublishTsaOnboard: true
+            GdnPublishTsaConfigFile: ${{ parameters.tsaOptionsPath }}
+            GdnPublishTsaExportedResultsPublishable: true
--- a/.ci/tsaoptions.json
+++ b/.ci/tsaoptions.json
@ -1,5 +1,5 @@
 {
-    "codebaseName": "xamarin_GoogleApisForiOSComponents",
+    "codebaseName": "GoogleApisForiOSComponents_main",
    "notificationAliases": [
        "xamacomd@microsoft.com"
    ],
@ -10,5 +10,8 @@
    "projectName": "DevDiv",
    "areaPath": "DevDiv\\VS Client - Runtime SDKs\\[Archived] Components",
    "iterationPath": "DevDiv\\Future Backlog",
-    "allTools": true
+    "tools": [
+        "CredScan",
+        "PoliCheck"
+    ]
 }