parameters: enable: 'false' # Whether the SDL validation job should execute or not overrideParameters: '' # Optional: to override values for parameters. additionalParameters: '' # Optional: parameters that need user specific values eg: '-SourceToolsList @("abc","def") -ArtifactToolsList @("ghi","jkl")' # Optional: if specified, restore and use this version of Guardian instead of the default. overrideGuardianVersion: '' # Optional: if true, publish the '.gdn' folder as a pipeline artifact. This can help with in-depth # diagnosis of problems with specific tool configurations. publishGuardianDirectoryToPipeline: false # The script to run to execute all SDL tools. Use this if you want to use a script to define SDL # parameters rather than relying on YAML. It may be better to use a local script, because you can # reproduce results locally without piecing together a command based on the YAML. executeAllSdlToolsScript: 'eng/common/sdl/execute-all-sdl-tools.ps1' # There is some sort of bug (has been reported) in Azure DevOps where if this parameter is named # 'continueOnError', the parameter value is not correctly picked up. # This can also be remedied by the caller (post-build.yml) if it does not use a nested parameter sdlContinueOnError: false # optional: determines whether to continue the build if the step errors; # optional: determines if build artifacts should be downloaded. downloadArtifacts: true # optional: determines if this job should search the directory of downloaded artifacts for # 'tar.gz' and 'zip' archive files and extract them before running SDL validation tasks. extractArchiveArtifacts: false dependsOn: '' # Optional: dependencies of the job artifactNames: '' # Optional: patterns supplied to DownloadBuildArtifacts # Usage: # artifactNames: # - 'BlobArtifacts' # - 'Artifacts_Windows_NT_Release' # Optional: download a list of pipeline artifacts. 'downloadArtifacts' controls build artifacts, # not pipeline artifacts, so doesn't affect the use of this parameter. pipelineArtifactNames: [] # Optional: location and ID of the AzDO build that the build/pipeline artifacts should be # downloaded from. By default, uses runtime expressions to decide based on the variables set by # the 'setupMaestroVars' dependency. Overriding this parameter is necessary if SDL tasks are # running without Maestro++/BAR involved, or to download artifacts from a specific existing build # to iterate quickly on SDL changes. AzDOProjectName: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOProjectName'] ] AzDOPipelineId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOPipelineId'] ] AzDOBuildId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOBuildId'] ] jobs: - job: Run_SDL dependsOn: ${{ parameters.dependsOn }} displayName: Run SDL tool condition: eq( ${{ parameters.enable }}, 'true') variables: - group: DotNet-VSTS-Bot - name: AzDOProjectName value: ${{ parameters.AzDOProjectName }} - name: AzDOPipelineId value: ${{ parameters.AzDOPipelineId }} - name: AzDOBuildId value: ${{ parameters.AzDOBuildId }} - template: /eng/common/templates/variables/sdl-variables.yml - name: GuardianVersion value: ${{ coalesce(parameters.overrideGuardianVersion, '$(DefaultGuardianVersion)') }} pool: vmImage: windows-2019 steps: - checkout: self clean: true - ${{ if ne(parameters.downloadArtifacts, 'false')}}: - ${{ if ne(parameters.artifactNames, '') }}: - ${{ each artifactName in parameters.artifactNames }}: - task: DownloadBuildArtifacts@0 displayName: Download Build Artifacts inputs: buildType: specific buildVersionToDownload: specific project: $(AzDOProjectName) pipeline: $(AzDOPipelineId) buildId: $(AzDOBuildId) artifactName: ${{ artifactName }} downloadPath: $(Build.ArtifactStagingDirectory)\artifacts checkDownloadedFiles: true - ${{ if eq(parameters.artifactNames, '') }}: - task: DownloadBuildArtifacts@0 displayName: Download Build Artifacts inputs: buildType: specific buildVersionToDownload: specific project: $(AzDOProjectName) pipeline: $(AzDOPipelineId) buildId: $(AzDOBuildId) downloadType: specific files itemPattern: "**" downloadPath: $(Build.ArtifactStagingDirectory)\artifacts checkDownloadedFiles: true - ${{ each artifactName in parameters.pipelineArtifactNames }}: - task: DownloadPipelineArtifact@2 displayName: Download Pipeline Artifacts inputs: buildType: specific buildVersionToDownload: specific project: $(AzDOProjectName) pipeline: $(AzDOPipelineId) buildId: $(AzDOBuildId) artifactName: ${{ artifactName }} downloadPath: $(Build.ArtifactStagingDirectory)\artifacts checkDownloadedFiles: true - powershell: eng/common/sdl/extract-artifact-packages.ps1 -InputPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts displayName: Extract Blob Artifacts continueOnError: ${{ parameters.sdlContinueOnError }} - powershell: eng/common/sdl/extract-artifact-packages.ps1 -InputPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts displayName: Extract Package Artifacts continueOnError: ${{ parameters.sdlContinueOnError }} - ${{ if ne(parameters.extractArchiveArtifacts, 'false') }}: - powershell: eng/common/sdl/extract-artifact-archives.ps1 -InputPath $(Build.ArtifactStagingDirectory)\artifacts -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts displayName: Extract Archive Artifacts continueOnError: ${{ parameters.sdlContinueOnError }} - template: /eng/common/templates/steps/execute-sdl.yml parameters: overrideGuardianVersion: ${{ parameters.overrideGuardianVersion }} executeAllSdlToolsScript: ${{ parameters.executeAllSdlToolsScript }} overrideParameters: ${{ parameters.overrideParameters }} additionalParameters: ${{ parameters.additionalParameters }} publishGuardianDirectoryToPipeline: ${{ parameters.publishGuardianDirectoryToPipeline }} sdlContinueOnError: ${{ parameters.sdlContinueOnError }}