-
Notifications
You must be signed in to change notification settings - Fork 677
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add PackageES Security and Compliance task to build (#6766)
- Loading branch information
Showing
8 changed files
with
158 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
109 changes: 109 additions & 0 deletions
109
build/AzurePipelinesTemplates/MUX-ComplianceChecks-Job.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,109 @@ | ||
parameters: | ||
dependsOn: '' | ||
|
||
jobs: | ||
- job: Compliance | ||
dependsOn: | ||
- ${{ parameters.dependsOn }} | ||
|
||
pool: | ||
name: WinDevPool-L | ||
demands: ImageOverride -equals WinDevVS16-9 | ||
|
||
variables: | ||
publishDir : $(Build.ArtifactStagingDirectory) | ||
artifactsDir: $(Build.SourcesDirectory)\Artifacts | ||
|
||
steps: | ||
|
||
- task: PkgESSetupBuild@12 | ||
displayName: Package ES - Setup Build | ||
inputs: | ||
disableOutputRedirect: true | ||
|
||
- template: MUX-InstallNuget-Steps.yml | ||
|
||
- task: NuGetAuthenticate@0 | ||
|
||
- task: NodeTool@0 | ||
|
||
# This is the artifact that contains the binaries that we want to scan. | ||
- task: DownloadBuildArtifacts@0 | ||
inputs: | ||
artifactName: cbs | ||
downloadPath: '$(artifactsDir)' | ||
|
||
|
||
# SDLNativeRules | ||
# The nativecodeanalysis.xml files are created in the Build job as part of running the C++ Core Guidlines checked. We download them from the artifact and copy them | ||
# to the directory that the SDLNativeRules job expects them to be in. | ||
- task: DownloadBuildArtifacts@0 | ||
inputs: | ||
artifactName: nativecodeanalysis | ||
downloadPath: '$(artifactsDir)' | ||
- task: CopyFiles@1 | ||
displayName: 'Copy nativecodeanalysis xml files to SDLNativeRulesDir' | ||
inputs: | ||
SourceFolder: '$(artifactsDir)\nativecodeanalysis' | ||
Contents: | | ||
**\*.nativecodeanalysis.xml | ||
TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' | ||
- task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 | ||
displayName: 'Run the PREfast SDL Native Rules for MSBuild' | ||
inputs: | ||
copyLogsOnly: true | ||
|
||
# https://www.1eswiki.com/index.php?title=PoliCheck_Build_Task | ||
# Scans the text of source code, comments, and content for terminology that could be sensitive for legal, cultural, or geopolitical reasons. | ||
- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 | ||
displayName: 'Run PoliCheck' | ||
inputs: | ||
result: PoliCheck.xml | ||
optionsFC: 1 # scan comments | ||
|
||
# https://www.osgwiki.com/wiki/Package_ES_Security_and_Compliance | ||
# Does a few things: | ||
# - Ensures that Windows-required compliance tasks are run either inside this task | ||
# or were run as a previous step prior to this one | ||
# (PREfast, PoliCheck, Credscan) | ||
# - Runs Windows-specific compliance tasks inside the task | ||
# + CheckCFlags - ensures that compiler and linker flags meet Windows standards | ||
# + CFGCheck/XFGCheck - ensures that Control Flow Guard (CFG) or | ||
# eXtended Flow Guard (XFG) are enabled on binaries | ||
# NOTE: CFG is deprecated and XFG isn't fully ready yet. | ||
# NOTE2: CFG fails on an XFG'd binary | ||
# - Brokers all security/compliance task logs to "Trust Services Automation (TSA)" (https://aka.ms/tsa) | ||
# which is a system that maps all errors into the appropriate bug database | ||
# template for each organization since they all vary. It should also suppress | ||
# new bugs when one already exists for the product. | ||
# This one is set up to go to the OS repository and use the given parameters | ||
# to file bugs to our AzDO product path. | ||
# Note: This task goes *LAST* after any other compliance tasks so it catches their logs | ||
- task: PkgESSecComp@10 | ||
displayName: 'Security and Compliance tasks' | ||
inputs: | ||
fileNewBugs: true | ||
errOnBugs: true | ||
scanAll: true | ||
taskLogVerbosity: Diagnostic | ||
areaPath: 'OS\WDX\DXP\WinDev\Controls' | ||
iterationPath: OS | ||
secCompConfigFromTask: | | ||
# Overrides default build sources directory | ||
sourceTargetOverrideAll: $(Build.SourcesDirectory) | ||
# Overrides default build binaries directory when "Scan all" option is specified | ||
binariesTargetOverrideAll: $(artifactsDir)\cbs | ||
# Set the tools to false if they should not run in the build | ||
tools: | ||
- toolName: CheckCFlags | ||
enable: true | ||
- toolName: CFGCheck | ||
enable: true | ||
- toolName: Policheck | ||
enable: true | ||
- toolName: CredScan | ||
enable: true | ||
- toolName: XFGCheck | ||
enable: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters