User/alexlam/37319832 main 220617

[alexlamtest]

Enabled PreFast scanning to run on this repo. This is done by invoking the BinaryAnalysis template exposed by Packaged ES. Aside from PreFast, this template can also run BinSkim, Anitmalware, etc. scans.
Notes:

• Currently PreFast is hitting a few errors, therefore, "break the build on error" mode is currently disabled. We should consider enabling that mode once the PreFast errors are resolved. Most other scans already default to the "break the build on error" mode.
• Two switches are exposed to pipeline users in the form of parameters: 1) setting runSDLBinaryAnalysis to false will skip calling the BinaryAnalysis template altogether, including PreFast, this mode is useful for getting the fastest and cleanest pipeline run, 2) setting runSDLBinaryAnalysis to true but setting enablePREFast to false will still call the BinaryAnalysis template but skip only PreFast. This mode is useful for running BinSkim etc. scans but prevents the build tasks to report warnings due to PreFast issue.
• Other than PreFast, PoliCheck and BinSkim are also reporting issues, but none of them look severe enough to break the build.
• Also started calling the SourceAnalysis template from Packaged ES to do PoliCheck, CredScan, etc. scans, replacing the existing explicit call to the CredScan and BinSkim tasks. SourceAnalysis currently runs scans for each pipeline run because they are relatively fast, and they currently don't produce much noise.
• I don't see BinSkim results in older pipeline runs, but we do get BinSkim results with this PR.
• With the calling of both of the SourceAnalysis and BinaryAnalysis templates, we satisfy the Executive Order (EO) requirement.
• The "auto file bugs" capability is not yet enabled, we should consider enabling it when the scan results are mostly clean and we are ready to track new scan errors by auto-filed bugs.

The PreFast issues can be found in this sample run:
https://microsoft.visualstudio.com/ProjectReunion/_build/results?buildId=51306833&view=results

Here's where to find the PreFast issues from the build results page:
• Summary->Job->Build Release_x86->Guardian: PreFast - 0 Warning(s) 1 Error(s)
• Summary->Job->Build Release_x86->Guardian: PreFast - 0 Warning(s) 1 Error(s)
• Summary->Job->Build Release_Arm64->Guardian: PreFast - 0 Warning(s) 1 Error(s)
• Summary->Job->BuildMRT Release_x86->Guardian: PreFast - 2271 Warning(s) 3 Error(s)
• Summary->Job->BuildMRT Release_x64->Guardian: PreFast - 2273 Warning(s) 3 Error(s)
• Summary->Job->BuildMRT Release_Arm64->Guardian: PreFast - 2276 Warning(s) 0 Error(s)

Look under the Scans tab in the build results page to see BinSkim and PoliCheck issues.

By default, PreFast is skipped in pipeline runs, like below, to avoid getting warnings for the build tasks:
https://microsoft.visualstudio.com/ProjectReunion/_build/results?buildId=51307855&view=results

[alexlamtest]

/azp run

[azure-pipelines]

Azure Pipelines failed to run 1 pipeline(s).

[alexlamtest]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).