2019-06-20 12:30:36 +00:00
|
|
|
parameters:
|
2020-01-30 13:35:10 +00:00
|
|
|
enable: 'false' # Whether the SDL validation job should execute or not
|
2019-06-20 12:30:36 +00:00
|
|
|
overrideParameters: '' # Optional: to override values for parameters.
|
|
|
|
additionalParameters: '' # Optional: parameters that need user specific values eg: '-SourceToolsList @("abc","def") -ArtifactToolsList @("ghi","jkl")'
|
2021-07-15 14:32:48 +00:00
|
|
|
# Optional: if specified, restore and use this version of Guardian instead of the default.
|
|
|
|
overrideGuardianVersion: ''
|
|
|
|
# Optional: if true, publish the '.gdn' folder as a pipeline artifact. This can help with in-depth
|
|
|
|
# diagnosis of problems with specific tool configurations.
|
|
|
|
publishGuardianDirectoryToPipeline: false
|
|
|
|
# The script to run to execute all SDL tools. Use this if you want to use a script to define SDL
|
|
|
|
# parameters rather than relying on YAML. It may be better to use a local script, because you can
|
|
|
|
# reproduce results locally without piecing together a command based on the YAML.
|
|
|
|
executeAllSdlToolsScript: 'eng/common/sdl/execute-all-sdl-tools.ps1'
|
2019-08-30 12:32:56 +00:00
|
|
|
# There is some sort of bug (has been reported) in Azure DevOps where if this parameter is named
|
|
|
|
# 'continueOnError', the parameter value is not correctly picked up.
|
|
|
|
# This can also be remedied by the caller (post-build.yml) if it does not use a nested parameter
|
|
|
|
sdlContinueOnError: false # optional: determines whether to continue the build if the step errors;
|
2021-07-15 14:32:48 +00:00
|
|
|
# optional: determines if build artifacts should be downloaded.
|
|
|
|
downloadArtifacts: true
|
|
|
|
# optional: determines if this job should search the directory of downloaded artifacts for
|
|
|
|
# 'tar.gz' and 'zip' archive files and extract them before running SDL validation tasks.
|
|
|
|
extractArchiveArtifacts: false
|
2019-06-20 12:30:36 +00:00
|
|
|
dependsOn: '' # Optional: dependencies of the job
|
2019-11-09 13:42:32 +00:00
|
|
|
artifactNames: '' # Optional: patterns supplied to DownloadBuildArtifacts
|
|
|
|
# Usage:
|
|
|
|
# artifactNames:
|
|
|
|
# - 'BlobArtifacts'
|
|
|
|
# - 'Artifacts_Windows_NT_Release'
|
2021-07-15 14:32:48 +00:00
|
|
|
# Optional: download a list of pipeline artifacts. 'downloadArtifacts' controls build artifacts,
|
|
|
|
# not pipeline artifacts, so doesn't affect the use of this parameter.
|
|
|
|
pipelineArtifactNames: []
|
|
|
|
# Optional: location and ID of the AzDO build that the build/pipeline artifacts should be
|
|
|
|
# downloaded from. By default, uses runtime expressions to decide based on the variables set by
|
|
|
|
# the 'setupMaestroVars' dependency. Overriding this parameter is necessary if SDL tasks are
|
|
|
|
# running without Maestro++/BAR involved, or to download artifacts from a specific existing build
|
|
|
|
# to iterate quickly on SDL changes.
|
|
|
|
AzDOProjectName: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOProjectName'] ]
|
|
|
|
AzDOPipelineId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOPipelineId'] ]
|
|
|
|
AzDOBuildId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOBuildId'] ]
|
2019-06-20 12:30:36 +00:00
|
|
|
|
|
|
|
jobs:
|
|
|
|
- job: Run_SDL
|
|
|
|
dependsOn: ${{ parameters.dependsOn }}
|
|
|
|
displayName: Run SDL tool
|
2020-01-30 13:35:10 +00:00
|
|
|
condition: eq( ${{ parameters.enable }}, 'true')
|
2019-06-20 12:30:36 +00:00
|
|
|
variables:
|
|
|
|
- group: DotNet-VSTS-Bot
|
2020-01-30 13:35:10 +00:00
|
|
|
- name: AzDOProjectName
|
2021-07-15 14:32:48 +00:00
|
|
|
value: ${{ parameters.AzDOProjectName }}
|
2020-01-30 13:35:10 +00:00
|
|
|
- name: AzDOPipelineId
|
2021-07-15 14:32:48 +00:00
|
|
|
value: ${{ parameters.AzDOPipelineId }}
|
2020-01-30 13:35:10 +00:00
|
|
|
- name: AzDOBuildId
|
2021-07-15 14:32:48 +00:00
|
|
|
value: ${{ parameters.AzDOBuildId }}
|
|
|
|
# The Guardian version specified in 'eng/common/sdl/packages.config'. This value must be kept in
|
|
|
|
# sync with the packages.config file.
|
|
|
|
- name: DefaultGuardianVersion
|
|
|
|
value: 0.53.3
|
|
|
|
- name: GuardianVersion
|
|
|
|
value: ${{ coalesce(parameters.overrideGuardianVersion, '$(DefaultGuardianVersion)') }}
|
|
|
|
- name: GuardianPackagesConfigFile
|
|
|
|
value: $(Build.SourcesDirectory)\eng\common\sdl\packages.config
|
2019-08-08 12:54:37 +00:00
|
|
|
pool:
|
2021-07-15 14:32:48 +00:00
|
|
|
# To extract archives (.tar.gz, .zip), we need access to "tar", added in Windows 10/2019.
|
|
|
|
${{ if eq(parameters.extractArchiveArtifacts, 'false') }}:
|
2021-11-10 19:49:57 +00:00
|
|
|
vmImage: windows-2019
|
2021-07-15 14:32:48 +00:00
|
|
|
${{ if ne(parameters.extractArchiveArtifacts, 'false') }}:
|
|
|
|
vmImage: windows-2019
|
2019-06-20 12:30:36 +00:00
|
|
|
steps:
|
|
|
|
- checkout: self
|
|
|
|
clean: true
|
2021-07-15 14:32:48 +00:00
|
|
|
|
2020-04-24 17:34:25 +00:00
|
|
|
- ${{ if ne(parameters.downloadArtifacts, 'false')}}:
|
|
|
|
- ${{ if ne(parameters.artifactNames, '') }}:
|
|
|
|
- ${{ each artifactName in parameters.artifactNames }}:
|
|
|
|
- task: DownloadBuildArtifacts@0
|
|
|
|
displayName: Download Build Artifacts
|
|
|
|
inputs:
|
|
|
|
buildType: specific
|
|
|
|
buildVersionToDownload: specific
|
|
|
|
project: $(AzDOProjectName)
|
|
|
|
pipeline: $(AzDOPipelineId)
|
|
|
|
buildId: $(AzDOBuildId)
|
|
|
|
artifactName: ${{ artifactName }}
|
|
|
|
downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
|
2021-03-11 13:55:56 +00:00
|
|
|
checkDownloadedFiles: true
|
2020-04-24 17:34:25 +00:00
|
|
|
- ${{ if eq(parameters.artifactNames, '') }}:
|
2019-11-09 13:42:32 +00:00
|
|
|
- task: DownloadBuildArtifacts@0
|
|
|
|
displayName: Download Build Artifacts
|
|
|
|
inputs:
|
2020-01-30 13:35:10 +00:00
|
|
|
buildType: specific
|
|
|
|
buildVersionToDownload: specific
|
|
|
|
project: $(AzDOProjectName)
|
|
|
|
pipeline: $(AzDOPipelineId)
|
|
|
|
buildId: $(AzDOBuildId)
|
2020-04-24 17:34:25 +00:00
|
|
|
downloadType: specific files
|
|
|
|
itemPattern: "**"
|
2019-11-09 13:42:32 +00:00
|
|
|
downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
|
2021-03-11 13:55:56 +00:00
|
|
|
checkDownloadedFiles: true
|
2021-07-15 14:32:48 +00:00
|
|
|
|
|
|
|
- ${{ each artifactName in parameters.pipelineArtifactNames }}:
|
|
|
|
- task: DownloadPipelineArtifact@2
|
|
|
|
displayName: Download Pipeline Artifacts
|
|
|
|
inputs:
|
|
|
|
buildType: specific
|
|
|
|
buildVersionToDownload: specific
|
|
|
|
project: $(AzDOProjectName)
|
|
|
|
pipeline: $(AzDOPipelineId)
|
|
|
|
buildId: $(AzDOBuildId)
|
|
|
|
artifactName: ${{ artifactName }}
|
|
|
|
downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
|
|
|
|
checkDownloadedFiles: true
|
|
|
|
|
2019-06-28 13:15:43 +00:00
|
|
|
- powershell: eng/common/sdl/extract-artifact-packages.ps1
|
2019-10-24 22:05:36 +00:00
|
|
|
-InputPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts
|
|
|
|
-ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts
|
2019-06-28 13:15:43 +00:00
|
|
|
displayName: Extract Blob Artifacts
|
2019-08-30 12:32:56 +00:00
|
|
|
continueOnError: ${{ parameters.sdlContinueOnError }}
|
2021-07-15 14:32:48 +00:00
|
|
|
|
2019-06-28 13:15:43 +00:00
|
|
|
- powershell: eng/common/sdl/extract-artifact-packages.ps1
|
2019-10-24 22:05:36 +00:00
|
|
|
-InputPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts
|
|
|
|
-ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts
|
2019-06-28 13:15:43 +00:00
|
|
|
displayName: Extract Package Artifacts
|
2019-08-30 12:32:56 +00:00
|
|
|
continueOnError: ${{ parameters.sdlContinueOnError }}
|
2021-07-15 14:32:48 +00:00
|
|
|
|
|
|
|
- ${{ if ne(parameters.extractArchiveArtifacts, 'false') }}:
|
|
|
|
- powershell: eng/common/sdl/extract-artifact-archives.ps1
|
|
|
|
-InputPath $(Build.ArtifactStagingDirectory)\artifacts
|
|
|
|
-ExtractPath $(Build.ArtifactStagingDirectory)\artifacts
|
|
|
|
displayName: Extract Archive Artifacts
|
|
|
|
continueOnError: ${{ parameters.sdlContinueOnError }}
|
|
|
|
|
|
|
|
- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
|
|
|
|
- powershell: |
|
|
|
|
$content = Get-Content $(GuardianPackagesConfigFile)
|
|
|
|
|
|
|
|
Write-Host "packages.config content was:`n$content"
|
|
|
|
|
|
|
|
$content = $content.Replace('$(DefaultGuardianVersion)', '$(GuardianVersion)')
|
|
|
|
$content | Set-Content $(GuardianPackagesConfigFile)
|
|
|
|
|
|
|
|
Write-Host "packages.config content updated to:`n$content"
|
|
|
|
displayName: Use overridden Guardian version ${{ parameters.overrideGuardianVersion }}
|
|
|
|
|
2019-06-20 12:30:36 +00:00
|
|
|
- task: NuGetToolInstaller@1
|
|
|
|
displayName: 'Install NuGet.exe'
|
|
|
|
- task: NuGetCommand@2
|
|
|
|
displayName: 'Install Guardian'
|
|
|
|
inputs:
|
|
|
|
restoreSolution: $(Build.SourcesDirectory)\eng\common\sdl\packages.config
|
|
|
|
feedsToUse: config
|
|
|
|
nugetConfigPath: $(Build.SourcesDirectory)\eng\common\sdl\NuGet.config
|
|
|
|
externalFeedCredentials: GuardianConnect
|
|
|
|
restoreDirectory: $(Build.SourcesDirectory)\.packages
|
2021-07-15 14:32:48 +00:00
|
|
|
|
2019-06-20 12:30:36 +00:00
|
|
|
- ${{ if ne(parameters.overrideParameters, '') }}:
|
2021-07-15 14:32:48 +00:00
|
|
|
- powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
|
2019-06-20 12:30:36 +00:00
|
|
|
displayName: Execute SDL
|
2019-08-30 12:32:56 +00:00
|
|
|
continueOnError: ${{ parameters.sdlContinueOnError }}
|
2019-06-20 12:30:36 +00:00
|
|
|
- ${{ if eq(parameters.overrideParameters, '') }}:
|
2021-07-15 14:32:48 +00:00
|
|
|
- powershell: ${{ parameters.executeAllSdlToolsScript }}
|
|
|
|
-GuardianPackageName Microsoft.Guardian.Cli.$(GuardianVersion)
|
2019-06-20 12:30:36 +00:00
|
|
|
-NugetPackageDirectory $(Build.SourcesDirectory)\.packages
|
|
|
|
-AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
|
|
|
|
${{ parameters.additionalParameters }}
|
|
|
|
displayName: Execute SDL
|
2019-08-30 12:32:56 +00:00
|
|
|
continueOnError: ${{ parameters.sdlContinueOnError }}
|
2021-07-15 14:32:48 +00:00
|
|
|
|
|
|
|
- ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
|
|
|
|
# We want to publish the Guardian results and configuration for easy diagnosis. However, the
|
|
|
|
# '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
|
|
|
|
# tooling files. Some of these files are large and aren't useful during an investigation, so
|
|
|
|
# exclude them by simply deleting them before publishing. (As of writing, there is no documented
|
|
|
|
# way to selectively exclude a dir from the pipeline artifact publish task.)
|
|
|
|
- task: DeleteFiles@1
|
|
|
|
displayName: Delete Guardian dependencies to avoid uploading
|
|
|
|
inputs:
|
|
|
|
SourceFolder: $(Agent.BuildDirectory)/.gdn
|
|
|
|
Contents: |
|
|
|
|
c
|
|
|
|
i
|
|
|
|
condition: succeededOrFailed()
|
|
|
|
- publish: $(Agent.BuildDirectory)/.gdn
|
|
|
|
artifact: GuardianConfiguration
|
|
|
|
displayName: Publish GuardianConfiguration
|
|
|
|
condition: succeededOrFailed()
|