Add PackageES Security and Compliance task to build (#6766)

build/AzurePipelinesTemplates/MUX-BuildDevProject-Steps.yml

@@ -10,6 +10,9 @@ steps:
       buildOutputDir: $(buildOutputDir)
       publishDir: $(publishDir)
 
+  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+    displayName: 'Component Detection'
+
   - task: 333b11bd-d341-40d9-afcf-b32d5ce6f23b@2
     displayName: 'NuGet restore MUXExperimental.sln'
     inputs:
@@ -33,6 +36,24 @@ steps:
       PathtoPublish: $(Build.SourcesDirectory)/MUXExperimental.sln.$(buildPlatform).$(buildConfiguration).binlog
       artifactName: drop
 
+  # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp
+  # These are processed by the Compliance Job (defined in MUX-ComplianceChecks-Job.yml)
+  # Note, only Debug builds are configured to run the code analysis tool.
+  - task: CopyFiles@1
+    displayName: 'Copy nativecodeanalysis xml files'
+    condition: eq(variables['buildConfiguration'], 'Debug')
+    inputs:
+      SourceFolder: '$(buildOutputDir)'
+      Contents: |
+        **\*.nativecodeanalysis.xml
+      TargetFolder: '$(Agent.BuildDirectory)\nativecodeanalysis'
+  - task: PublishBuildArtifacts@1
+    displayName: 'Publish artifact: nativecodeanalysis'
+    condition: eq(variables['buildConfiguration'], 'Debug')
+    inputs:
+      PathtoPublish: '$(Agent.BuildDirectory)\nativecodeanalysis'
+      artifactName: nativecodeanalysis
+
   - ${{ if eq( parameters.signOutput, true) }}:
     - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
       displayName: 'CodeSign'

build/AzurePipelinesTemplates/MUX-ComplianceChecks-Job.yml

@@ -0,0 +1,109 @@
+parameters:
+  dependsOn: ''
+
+jobs:
+- job: Compliance
+  dependsOn:
+    - ${{ parameters.dependsOn }}
+
+  pool: 
+    name: WinDevPool-L
+    demands: ImageOverride -equals WinDevVS16-9
+
+  variables:
+    publishDir : $(Build.ArtifactStagingDirectory)
+    artifactsDir: $(Build.SourcesDirectory)\Artifacts
+
+  steps:
+
+  - task: PkgESSetupBuild@12
+    displayName: Package ES - Setup Build
+    inputs:
+      disableOutputRedirect: true
+
+  - template: MUX-InstallNuget-Steps.yml
+
+  - task: NuGetAuthenticate@0
+
+  - task: NodeTool@0
+
+  # This is the artifact that contains the binaries that we want to scan.
+  - task: DownloadBuildArtifacts@0 
+    inputs: 
+      artifactName: cbs
+      downloadPath: '$(artifactsDir)'
+
+
+# SDLNativeRules
+# The nativecodeanalysis.xml files are created in the Build job as part of running the C++ Core Guidlines checked. We download them from the artifact and copy them
+# to the directory that the SDLNativeRules job expects them to be in.
+  - task: DownloadBuildArtifacts@0 
+    inputs: 
+      artifactName: nativecodeanalysis
+      downloadPath: '$(artifactsDir)'
+  - task: CopyFiles@1
+    displayName: 'Copy nativecodeanalysis xml files to SDLNativeRulesDir'
+    inputs:
+      SourceFolder: '$(artifactsDir)\nativecodeanalysis'
+      Contents: |
+        **\*.nativecodeanalysis.xml
+      TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules'
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3
+    displayName: 'Run the PREfast SDL Native Rules for MSBuild'
+    inputs:
+      copyLogsOnly: true
+
+  # https://www.1eswiki.com/index.php?title=PoliCheck_Build_Task
+  # Scans the text of source code, comments, and content for terminology that could be sensitive for legal, cultural, or geopolitical reasons.
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
+    displayName: 'Run PoliCheck'
+    inputs:
+      result: PoliCheck.xml
+      optionsFC: 1 # scan comments
+
+  # https://www.osgwiki.com/wiki/Package_ES_Security_and_Compliance
+  # Does a few things:
+  # - Ensures that Windows-required compliance tasks are run either inside this task
+  #   or were run as a previous step prior to this one
+  #   (PREfast, PoliCheck, Credscan)
+  # - Runs Windows-specific compliance tasks inside the task
+  #   + CheckCFlags - ensures that compiler and linker flags meet Windows standards
+  #   + CFGCheck/XFGCheck - ensures that Control Flow Guard (CFG) or 
+  #                         eXtended Flow Guard (XFG) are enabled on binaries
+  #                         NOTE: CFG is deprecated and XFG isn't fully ready yet.
+  #                         NOTE2: CFG fails on an XFG'd binary
+  # - Brokers all security/compliance task logs to "Trust Services Automation (TSA)" (https://aka.ms/tsa)
+  #   which is a system that maps all errors into the appropriate bug database 
+  #   template for each organization since they all vary. It should also suppress
+  #   new bugs when one already exists for the product.
+  #   This one is set up to go to the OS repository and use the given parameters
+  #   to file bugs to our AzDO product path.
+  # Note: This task goes *LAST* after any other compliance tasks so it catches their logs
+  - task: PkgESSecComp@10
+    displayName: 'Security and Compliance tasks'
+    inputs:
+      fileNewBugs: true
+      errOnBugs: true
+      scanAll: true
+      taskLogVerbosity: Diagnostic
+      areaPath: 'OS\WDX\DXP\WinDev\Controls'
+      iterationPath: OS
+      secCompConfigFromTask: |
+        # Overrides default build sources directory
+        sourceTargetOverrideAll: $(Build.SourcesDirectory)
+
+        # Overrides default build binaries directory when "Scan all" option is specified
+        binariesTargetOverrideAll: $(artifactsDir)\cbs
+
+        # Set the tools to false if they should not run in the build
+        tools:
+            - toolName: CheckCFlags
+              enable: true
+            - toolName: CFGCheck
+              enable: true
+            - toolName: Policheck
+              enable: true
+            - toolName: CredScan
+              enable: true
+            - toolName: XFGCheck
+              enable: false

build/MUX-Release.yml

@@ -18,6 +18,9 @@ jobs:
   strategy:
     maxParallel: 10
     matrix:
+      Debug_x86:
+        buildPlatform: 'x86'
+        buildConfiguration: 'Debug'
       Release_x86:
         buildPlatform: 'x86'
         buildConfiguration: 'Release'
@@ -37,6 +40,7 @@ jobs:
     appxPackageDir : $(build.artifactStagingDirectory)\$(buildConfiguration)\$(buildPlatform)\AppxPackages
     buildOutputDir : $(Build.SourcesDirectory)\BuildOutput
     publishDir : $(Build.ArtifactStagingDirectory)
+    artifactsDir: $(Build.SourcesDirectory)\Artifacts
     sbomdir: $(Build.ArtifactStagingDirectory)\sbom\$(buildConfiguration)\$(buildPlatform)
   steps:
 
@@ -84,6 +88,10 @@ jobs:
   parameters:
     dependsOn: Build
 
+- template: AzurePipelinesTemplates\MUX-ComplianceChecks-Job.yml
+  parameters:
+    dependsOn: CreateVPack
+
 # Build solution that depends on nuget package
 - template: AzurePipelinesTemplates\MUX-NugetReleaseTest-Job.yml
   parameters:

dev/GeneratedExperimental/TitleBar.properties.cpp

@@ -92,7 +92,7 @@ void TitleBarProperties::EnsureProperties()
                 winrt::name_of<winrt::TitleBar>(),
                 false /* isAttached */,
                 ValueHelper<winrt::hstring>::BoxedDefaultValue(),
-                nullptr);
+                winrt::PropertyChangedCallback(&OnTitlePropertyChanged));
     }
 }
 
@@ -130,6 +130,14 @@ void TitleBarProperties::OnIsBackButtonVisiblePropertyChanged(
     winrt::get_self<TitleBar>(owner)->OnIsBackButtonVisiblePropertyChanged(args);
 }
 
+void TitleBarProperties::OnTitlePropertyChanged(
+    winrt::DependencyObject const& sender,
+    winrt::DependencyPropertyChangedEventArgs const& args)
+{
+    auto owner = sender.as<winrt::TitleBar>();
+    winrt::get_self<TitleBar>(owner)->OnTitlePropertyChanged(args);
+}
+
 void TitleBarProperties::CustomContent(winrt::IInspectable const& value)
 {
     [[gsl::suppress(con)]]

dev/GeneratedExperimental/TitleBar.properties.h

@@ -60,4 +60,8 @@ class TitleBarProperties
     static void OnIsBackButtonVisiblePropertyChanged(
         winrt::DependencyObject const& sender,
         winrt::DependencyPropertyChangedEventArgs const& args);
+
+    static void OnTitlePropertyChanged(
+        winrt::DependencyObject const& sender,
+        winrt::DependencyPropertyChangedEventArgs const& args);
 };

dev/dll/Microsoft.UI.Xaml.Common.targets

@@ -41,6 +41,7 @@
       <GenerateMapFile>true</GenerateMapFile>
       <LinkTimeCodeGeneration Condition="'$(Configuration)'=='Release'">UseLinkTimeCodeGeneration</LinkTimeCodeGeneration>
       <AdditionalOptions Condition="'$(Configuration)'=='Release'">/debugtype:cv,fixup %(AdditionalOptions)</AdditionalOptions>
+      <AdditionalOptions>/Brepro %(AdditionalOptions)</AdditionalOptions>
       <AdditionalLibraryDirectories Condition="'$(Platform)'=='x64'">%(AdditionalLibraryDirectories);$(VC_LibraryPath_VC_x64_Desktop)</AdditionalLibraryDirectories>
       <AdditionalLibraryDirectories Condition="'$(Platform)'=='Win32'">%(AdditionalLibraryDirectories);$(VC_LibraryPath_VC_x86_Desktop)</AdditionalLibraryDirectories>
       <AdditionalLibraryDirectories Condition="'$(Platform)'=='arm'">%(AdditionalLibraryDirectories);$(VC_LibraryPath_VC_arm_Desktop)</AdditionalLibraryDirectories>
@@ -74,7 +75,7 @@
         $(MiniWindowsSDKIncludePath);
       </AdditionalIncludeDirectories>
       <AdditionalOptions>/std:c++17 /bigobj %(AdditionalOptions)</AdditionalOptions>
-      <AdditionalOptions>/Wv:18 %(AdditionalOptions)</AdditionalOptions>
+      <AdditionalOptions>/Wv:18 /ZH:SHA_256 /Brepro %(AdditionalOptions)</AdditionalOptions>
       <AdditionalOptions Condition="'$(Configuration)'=='Release'">%(AdditionalOptions) /d2FH4</AdditionalOptions>
       <WarningLevel>Level4</WarningLevel>
       <TreatWarningAsError>true</TreatWarningAsError>

dev/dll/Microsoft.UI.Xaml.vcxproj

@@ -1,10 +1,8 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!-- Copyright (c) Microsoft Corporation. All rights reserved. Licensed under the MIT License. See LICENSE in the project root for license information. -->
 <Project DefaultTargets="Build" ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.UI.Xaml.Common.props" />
-
-  <PropertyGroup  Label="Globals">
+  <PropertyGroup Label="Globals">
     <ProjectGuid>{ad0c90b0-4845-4d4b-88f1-86f653f8171b}</ProjectGuid>
     <Keyword>DynamicLibrary</Keyword>
     <TargetName>$(MUXTargetName)</TargetName>
@@ -14,15 +12,16 @@
     <ProjectWinMDName>Microsoft.UI.winmd</ProjectWinMDName>
     <DependencyPropertyCodeGenOutputDirectory>$(MSBuildThisFileDirectory)..\Generated</DependencyPropertyCodeGenOutputDirectory>
   </PropertyGroup>
-
   <Import Condition="'$(Configuration)' == 'Release'" Project="$(MSBuildProjectDirectory)\..\..\PGO.compile.props" />
   <Import Condition="'$(PGOBuildMode)' == 'Optimize'" Project="$(MSBuildProjectDirectory)\..\..\tools\MUXPGODatabase\PGO.version.props" />
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
-
   <ItemDefinitionGroup>
     <Link>
       <ModuleDefinitionFile>Microsoft.UI.Xaml.def</ModuleDefinitionFile>
     </Link>
+    <ClCompile>
+      <AdditionalOptions>/ZH:SHA_256 %(AdditionalOptions)</AdditionalOptions>
+    </ClCompile>
   </ItemDefinitionGroup>
   <ItemGroup>
     <Midl Include="..\..\idl\Microsoft.UI.Xaml.idl" />
@@ -113,6 +112,5 @@
       <ControlsResourcesVersion1>true</ControlsResourcesVersion1>
     </CompactPage>
   </ItemGroup>
-
   <Import Project="$(MSBuildThisFileDirectory)Microsoft.UI.Xaml.Common.targets" />
 </Project>

dev/dll/Microsoft.UI.Xaml.vcxproj.filters

@@ -29,9 +29,8 @@
     <ClCompile Include="FloatUtil.cpp" />
     <ClCompile Include="RegUtil.cpp" />
     <ClCompile Include="CommandingHelpers.cpp" />
-    <ClCompile Include="$(MSBuildThisFileDirectory)..\Generated\XamlControlsResources.properties.cpp" />
     <ClCompile Include="XamlControlsResources.cpp" />
-    <ClCompile Include="..\..\BuildOutput\Intermediates\$(Platform)\Microsoft.UI.Xaml\obj\Generated Files\module.g.cpp" />
+    <ClCompile Include="$(DependencyPropertyCodeGenOutputDirectory)\XamlControlsResources.properties.cpp" />
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="pch.h" />
@@ -100,7 +99,6 @@
     <ClInclude Include="version.h" />
   </ItemGroup>
   <ItemGroup>
-    <None Include="Microsoft.UI.Xaml.def" />
     <None Include="packages.config" />
     <None Include="$(OutDir)XamlMetadataProviderWindowsCodeGen.cs" />
     <None Include="XamlMetadataProviderGenerated.tt" />