dotnet-installer/eng/common/templates/job/execute-sdl.yml

parameters:
  enable: 'false'                                             # Whether the SDL validation job should execute or not
  overrideParameters: ''                                       # Optional: to override values for parameters.
  additionalParameters: ''                                     # Optional: parameters that need user specific values eg: '-SourceToolsList @("abc","def") -ArtifactToolsList @("ghi","jkl")'
  # Optional: if specified, restore and use this version of Guardian instead of the default.
  overrideGuardianVersion: ''
  # Optional: if true, publish the '.gdn' folder as a pipeline artifact. This can help with in-depth
  # diagnosis of problems with specific tool configurations.
  publishGuardianDirectoryToPipeline: false
  # The script to run to execute all SDL tools. Use this if you want to use a script to define SDL
  # parameters rather than relying on YAML. It may be better to use a local script, because you can
  # reproduce results locally without piecing together a command based on the YAML.
  executeAllSdlToolsScript: 'eng/common/sdl/execute-all-sdl-tools.ps1'
  # There is some sort of bug (has been reported) in Azure DevOps where if this parameter is named
  # 'continueOnError', the parameter value is not correctly picked up.
  # This can also be remedied by the caller (post-build.yml) if it does not use a nested parameter
  sdlContinueOnError: false                                    # optional: determines whether to continue the build if the step errors;
  # optional: determines if build artifacts should be downloaded.
  downloadArtifacts: true
  # optional: determines if this job should search the directory of downloaded artifacts for
  # 'tar.gz' and 'zip' archive files and extract them before running SDL validation tasks.
  extractArchiveArtifacts: false
  dependsOn: ''                                                # Optional: dependencies of the job
  artifactNames: ''                                            # Optional: patterns supplied to DownloadBuildArtifacts
                                                               # Usage:
                                                               #  artifactNames:
                                                               #    - 'BlobArtifacts'
                                                               #    - 'Artifacts_Windows_NT_Release'
  # Optional: download a list of pipeline artifacts. 'downloadArtifacts' controls build artifacts,
  # not pipeline artifacts, so doesn't affect the use of this parameter.
  pipelineArtifactNames: []
  # Optional: location and ID of the AzDO build that the build/pipeline artifacts should be
  # downloaded from. By default, uses runtime expressions to decide based on the variables set by
  # the 'setupMaestroVars' dependency. Overriding this parameter is necessary if SDL tasks are
  # running without Maestro++/BAR involved, or to download artifacts from a specific existing build
  # to iterate quickly on SDL changes.
  AzDOProjectName: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOProjectName'] ]
  AzDOPipelineId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOPipelineId'] ]
  AzDOBuildId: $[ dependencies.setupMaestroVars.outputs['setReleaseVars.AzDOBuildId'] ]

jobs:
- job: Run_SDL
  dependsOn: ${{ parameters.dependsOn }}
  displayName: Run SDL tool
  condition: eq( ${{ parameters.enable }}, 'true')
  variables:
    - group: DotNet-VSTS-Bot
    - name: AzDOProjectName
      value: ${{ parameters.AzDOProjectName }}
    - name: AzDOPipelineId
      value: ${{ parameters.AzDOPipelineId }}
    - name: AzDOBuildId
      value: ${{ parameters.AzDOBuildId }}
    - template: /eng/common/templates/variables/sdl-variables.yml
    - name: GuardianVersion
      value: ${{ coalesce(parameters.overrideGuardianVersion, '$(DefaultGuardianVersion)') }}
  pool:
    vmImage: windows-2019
  steps:
  - checkout: self
    clean: true

  - ${{ if ne(parameters.downloadArtifacts, 'false')}}:
    - ${{ if ne(parameters.artifactNames, '') }}:
      - ${{ each artifactName in parameters.artifactNames }}:
        - task: DownloadBuildArtifacts@0
          displayName: Download Build Artifacts
          inputs:
            buildType: specific
            buildVersionToDownload: specific
            project: $(AzDOProjectName)
            pipeline: $(AzDOPipelineId)
            buildId: $(AzDOBuildId)
            artifactName: ${{ artifactName }}
            downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
            checkDownloadedFiles: true
    - ${{ if eq(parameters.artifactNames, '') }}:
      - task: DownloadBuildArtifacts@0
        displayName: Download Build Artifacts
        inputs:
          buildType: specific
          buildVersionToDownload: specific
          project: $(AzDOProjectName)
          pipeline: $(AzDOPipelineId)
          buildId: $(AzDOBuildId)
          downloadType: specific files
          itemPattern: "**"
          downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
          checkDownloadedFiles: true

  - ${{ each artifactName in parameters.pipelineArtifactNames }}:
    - task: DownloadPipelineArtifact@2
      displayName: Download Pipeline Artifacts
      inputs:
        buildType: specific
        buildVersionToDownload: specific
        project: $(AzDOProjectName)
        pipeline: $(AzDOPipelineId)
        buildId: $(AzDOBuildId)
        artifactName: ${{ artifactName }}
        downloadPath: $(Build.ArtifactStagingDirectory)\artifacts
        checkDownloadedFiles: true

  - powershell: eng/common/sdl/extract-artifact-packages.ps1
      -InputPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts
      -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\BlobArtifacts
    displayName: Extract Blob Artifacts
    continueOnError: ${{ parameters.sdlContinueOnError }}

  - powershell: eng/common/sdl/extract-artifact-packages.ps1
      -InputPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts
      -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts\PackageArtifacts
    displayName: Extract Package Artifacts
    continueOnError: ${{ parameters.sdlContinueOnError }}

  - ${{ if ne(parameters.extractArchiveArtifacts, 'false') }}:
    - powershell: eng/common/sdl/extract-artifact-archives.ps1
        -InputPath $(Build.ArtifactStagingDirectory)\artifacts
        -ExtractPath $(Build.ArtifactStagingDirectory)\artifacts
      displayName: Extract Archive Artifacts
      continueOnError: ${{ parameters.sdlContinueOnError }}
  
  - template: /eng/common/templates/steps/execute-sdl.yml
    parameters:
      overrideGuardianVersion: ${{ parameters.overrideGuardianVersion }}
      executeAllSdlToolsScript: ${{ parameters.executeAllSdlToolsScript }}
      overrideParameters: ${{ parameters.overrideParameters }}
      additionalParameters: ${{ parameters.additionalParameters }}
      publishGuardianDirectoryToPipeline: ${{ parameters.publishGuardianDirectoryToPipeline }}
      sdlContinueOnError: ${{ parameters.sdlContinueOnError }}