Update compliance pipeline to run all tools and log bugs (#309)

* Add TSA bug logging to security analysis * Add bug logging and API scan * Exclude test files from API scan
microsoft · Mar 1, 2024 · 613d3ac · 613d3ac
1 parent f9116d2
commit 613d3ac
Show file tree

Hide file tree

Showing 3 changed files with 105 additions and 63 deletions.
diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json
@@ -0,0 +1,9 @@
+{
+    "codebaseName": "VSWhere",
+    "instanceUrl": "https://devdiv.visualstudio.com/defaultcollection",
+    "projectName": "DevDiv",
+    "areaPath": "DevDiv\\VS Setup",
+    "iterationPath": "DevDiv",
+    "allTools": true
+  }
+
diff --git a/.vsts-ci.yml b/.vsts-ci.yml
@@ -30,12 +30,16 @@ extends:
     sdl:
       sourceAnalysisPool:
         name: AzurePipelines-EO
-        image: AzurePipelinesWindows2022compliantGPT
+        image: 1ESPT-Windows2022
       policheck:
         enabled: true
       binskim:
         enabled: true
         scanOutputDirectoryOnly: true # BinSkim scans whole source tree but we only need to scan the output dir.
+      tsa:
+        enabled: true
+        configFile: $(Build.SourcesDirectory)\.config\tsaoptions.json
+        onboard: false
 
     stages:
       - stage: Build
@@ -53,8 +57,4 @@ extends:
                   BuildConfiguration: $(BuildConfiguration)
                   BuildPlatform: $(BuildPlatform)
                   Sign: true
-                  PublishArtifactTemplate: /pipelines/templates/1es-publish-task.yml@self
-
-            - task: ms-vseng.MicroBuildTasks.521a94ea-9e68-468a-8167-6dcf361ea776.MicroBuildCleanup@1
-              displayName: Clean up
-              condition: succeededOrFailed()
+                  PublishArtifactTemplate: /pipelines/templates/1es-publish-task.yml@self
diff --git a/.vsts-compliance.yml b/.vsts-compliance.yml
@@ -20,67 +20,100 @@ schedules:
 
 pr: none
 
-queue:
-  name: VSEngSS-MicroBuild2022-1ES
-  timeoutInMinutes: 120
-  demands: 
-  - ChocolateyInstall
-  - MSBuild
-  - VisualStudio
-  - VSTest
+variables:
+  - group: vssetup-apiscan
+  - group: vssetup-apiscan-secrets
 
-steps:
-- template: /pipelines/templates/build.yml@self
-  parameters:
-    BuildConfiguration: $(BuildConfiguration)
-    BuildPlatform: $(BuildPlatform)
-    Sign: false
-    PublishArtifactTemplate: /pipelines/templates/ado-publish-task.yml@self
-
-- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
-  displayName: Detect components
-  inputs:
-    sourceScanPath: $(Build.SourcesDirectory)
+resources:
+  repositories:
+  - repository: MicroBuildTemplate
+    type: git
+    name: 1ESPipelineTemplates/MicroBuildTemplate
+    ref: refs/tags/release
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2
-  displayName: Run the PREfast SDL Native Rules for MSBuild
-  continueOnError: true
-
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
-  displayName: Run PoliCheck
-  inputs:
-    targetType: F
-    targetArgument: '$(Build.SourcesDirectory)'
-    optionsFC: 0
-    optionsXS: 1
-    optionsHMENABLE: 0
-  continueOnError: true
+extends:
+  template: azure-pipelines/MicroBuild.1ES.Unofficial.yml@MicroBuildTemplate
+  parameters:
+    pool:
+      name: VSEngSS-MicroBuild2022-1ES
+    sdl:
+      sourceAnalysisPool:
+        name: AzurePipelines-EO
+        image: 1ESPT-Windows2022
+      antimalwareScan:
+        enabled: true
+      armory:
+        enabled: true
+      binskim:
+        enabled: true
+        scanOutputDirectoryOnly: true
+      codeql:
+        compiled:
+          enabled: true
+      credscan:
+        enabled: true
+      policheck:
+        enabled: true
+      psscriptanalyzer:
+        enabled: true
+      prefast:
+        enabled: true
+      tsa:
+        enabled: true
+        configFile: $(Build.SourcesDirectory)\.config\tsaoptions.json
+        onboard: false
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
-  displayName: Run BinSkim
-  inputs:
-    InputType: Basic
-    Function: analyze
-    AnalyzeTarget: 'bin\$(BuildConfiguration)\*.exe'
-    AnalyzeSymPath: 'bin\$(BuildConfiguration)'
-    AnalyzeVerbose: true
-    AnalyzeHashes: true
-  continueOnError: true
+    stages:
+      - stage: Compliance
+        jobs:
+          - job: Compliance
+            steps:
+              - template: /pipelines/templates/build.yml@self
+                parameters:
+                    BuildConfiguration: $(BuildConfiguration)
+                    BuildPlatform: $(BuildPlatform)
+                    Sign: false
+                    PublishArtifactTemplate: /pipelines/templates/1es-publish-task.yml@self
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
-  displayName: Run CredScan
-  inputs:
-    debugMode: false
+              - task: CopyFiles@2
+                displayName: Copy files for API scan
+                inputs:
+                  SourceFolder: $(Build.SourcesDirectory)\bin\$(BuildConfiguration)
+                  Contents: |
+                    **\*.?(exe|dll|pdb|xml)
+                    !**\*.test.?(exe|dll|pdb|xml)
+                  TargetFolder: $(Build.StagingDirectory)\apiscan-inputs
 
-# Publish compliance results
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
-  displayName: Publish Security Analysis Logs
+              - task: APIScan@2
+                displayName: Run APIScan
+                inputs:
+                  softwareFolder: $(Build.StagingDirectory)\apiscan-inputs
+                  softwareName: 'Microsoft.VSWhere'
+                  softwareVersionNum: '3'
+                  toolVersion: Latest
+                env:
+                  AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(SetupAppApiScanSecret)
 
-- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
-  displayName: Check SDL results
-  inputs:
-    AllTools: true
+              - task: PublishSecurityAnalysisLogs@3
+                displayName: Publish 'SDLAnalysis-APIScan' artifact
+                condition: succeededOrFailed()
+                inputs:
+                  ArtifactName: SDLAnalysis-APIScan
+                  AllTools: false
+                  APIScan: true
 
-- task: ms-vseng.MicroBuildTasks.521a94ea-9e68-468a-8167-6dcf361ea776.MicroBuildCleanup@1
-  displayName: Clean up
-  condition: succeededOrFailed()
+              - task: PostAnalysis@2
+                displayName: Post Analysis
+                inputs:
+                  GdnBreakAllTools: false
+                  GdnBreakGdnToolApiScan: true
+
+              - task: TSAUpload@2
+                displayName: Upload APIScan results to TSA
+                inputs:
+                  GdnPublishTsaOnboard: false
+                  GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\.config\tsaoptions.json'
+                  GdnPublishTsaExportedResultsPublishable: true
+                continueOnError: true
+                condition: succeededOrFailed()
+                enabled: true