diff options
| author | Ravi Eda <raeda@microsoft.com> | 2017-06-16 04:15:35 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-06-16 04:15:35 +0300 |
| commit | 114dc0214026846a2f5d95752b0fb1ca72de23e2 (patch) | |
| tree | 6ef3a5b56917585894d63ad08260c2398d779382 /buildpipeline | |
| parent | 0fa91b6866af11d85212f3a0df653a1b8b4d8ead (diff) | |
Security Build Definition (#20873)
* Create root and windows definition.
* Include PB_ prefix.
* Remove variables whose values will be in PB.
* Remove unnecessary tasks.
* Update path property.
* Add OSX leg.
* Remove triggers.
* Remove PB variables.
* Remove OSX leg since there is no TSA support.
* Remove CodeMetrics.
* Pass official build number as PB variable.
* Invoke sync.cmd directly.
* Update arguments passed to security tools. (#11)
* Minor fixes to arguments passed, and variable names. (#12)
* Remove folders other than security.
* Update args for BinSkim.
* Cleanup scripts.
* Fix APIScan args.
* Update task names.
* Update PB variable name.
* Do delete .txt files. Version.txt is needed.
* Set symbolsFolder for APIScan.
* Update git checkout task.
* Add a test task that will be removed before merge.
* Add PB_Git variable.
* Update Git path.
* Revert to PB_Git.
* Remove test task.
Diffstat (limited to 'buildpipeline')
| -rw-r--r-- | buildpipeline/security/DotNet-CoreFx-Security-Windows.json | 564 | ||||
| -rw-r--r-- | buildpipeline/security/pipeline.json | 22 |
2 files changed, 586 insertions, 0 deletions
diff --git a/buildpipeline/security/DotNet-CoreFx-Security-Windows.json b/buildpipeline/security/DotNet-CoreFx-Security-Windows.json new file mode 100644 index 0000000000..a95214d6ff --- /dev/null +++ b/buildpipeline/security/DotNet-CoreFx-Security-Windows.json @@ -0,0 +1,564 @@ +{ + "build": [ + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run clean.cmd", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "d9bafed4-0b18-4f58-968d-86655b4d2ce9", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "filename": "clean.cmd", + "arguments": "-all", + "workingFolder": "$(Build.SourcesDirectory)", + "failOnStandardError": "false" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run sync to download packages", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(PB_CloudDropAccountName) $(PB_CloudDropAccessToken) $(PB_CloudDropContainer)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($account, $token, $container)\n.\\sync.cmd -ab -- /p:CloudDropAccountName=$account /p:CloudDropAccessToken=$token /p:ContainerName=$container", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Extract downloaded nupkgs", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$secDir = Join-Path \"$SrcDir\" \"security\"\n$pkgDir = \"$SrcDir\\packages\\AzureTransfer\\Release\\symbols\"\ngci \"$pkgDir\\*.nupkg\" | rename-item -newname { [io.path]::ChangeExtension($_.name, \"zip\") }\ngci \"$pkgDir\\*.zip\" | % {\n$dstDir = Join-Path \"$secDir\" $($_.BaseName)\nExpand-Archive -Path $($_.FullName) -DestinationPath \"$dstDir\" -Force\n}\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "List all files", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$fileCount = 0\ngci $SrcDir -recurse | % {\nWrite-Host $($_.FullName)\n$fileCount += 1\n}\nWrite-Host \"File Count: $fileCount\"\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Remove files other than DLLs, PDBs and TXT", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$secDir = Join-Path \"$SrcDir\" \"security\"\n$extList = \".dll\", \".pdb\", \".txt\"\ngci $secDir -Recurse | where { !$_.PSIsContainer } | % {\nif ($extList -inotcontains $_.Extension)\n{\n rm $_.FullName -Force -ErrorAction SilentlyContinue\n Write-Host \"Removed $($_.FullName)\"\n}\n}\n\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Workaround for long path - DELETE files with path length greater than or equal to 240 characters", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$longPath = New-Object System.Collections.ArrayList\ngci \"$SrcDir\\*\" -recurse | where {!$_.PSIsContainer} | % {\nif ($($_.FullName.Length) -ge 240)\n{\n$longPath.Add($($_.Directory.FullName)) | Out-Null\n}\n}\n$longPath | % {\nStart-Process \"cmd\" -ArgumentList \"/c rd /S /Q $_\" -Wait\nWrite-Host \"DELETED $_\"\n}\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "List all files - post delete", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$fileCount = 0\ngci $SrcDir -recurse | % {\nWrite-Host $($_.FullName)\n$fileCount += 1\n}\nWrite-Host \"File Count: $fileCount\"\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run BinSkim ", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "3056813a-40e9-4b2f-8f6b-612d1bc4e045", + "versionSpec": "3.*", + "definitionType": "task" + }, + "inputs": { + "InputType": "CommandLine", + "arguments": "analyze security\\*.dll --recurse --sympath security\\*.pdb --verbose --statistics", + "Function": "analyze", + "AnalyzeTarget": "$(Build.ArtifactStagingDirectory)", + "AnalyzeSymPath": "", + "AnalyzeConfigPath": "default", + "AnalyzePluginPath": "", + "AnalyzeRecurse": "true", + "AnalyzeVerbose": "true", + "AnalyzeHashes": "true", + "AnalyzeStatistics": "false", + "AnalyzeEnvironment": "false", + "ExportRulesOutputType": "SARIF", + "DumpTarget": "$(Build.ArtifactStagingDirectory)", + "DumpRecurse": "true", + "DumpVerbose": "true", + "toolVersion": "Latest" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run APIScan", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "9adea2b1-3752-438c-80c6-a6f0a812abdd", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "targetMode": "binarysym", + "softwareFolder": "$(Build.SourcesDirectory)\\security", + "mpdFolder": "", + "softwareName": "CoreFx", + "softwareVersionNum": "$(PB_BuildNumber)", + "softwareBuildNum": "$(PB_BuildNumber)", + "modeType": "prerelease", + "noCopySymbols": "false", + "noCopyBinaries": "false", + "noDecompress": "true", + "exclusionList": "", + "email": "", + "symbolsFolder": "$(Build.SourcesDirectory)\\security", + "preBbtBinariesFolder": "", + "preBbtSymbolsFolder": "", + "isLargeApp": "false", + "analyzerTimeout": "00:00:00", + "preserveTempFiles": "false", + "toolVersion": "Latest" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "git checkout", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory) \"$(PB_Git)\"", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir, $git)\n$pkgExtPath= Join-Path \"$SrcDir\" \"security\"\ngci \"$pkgExtPath\\version.txt\" -Recurse | % { \n$sha = gc $_\nWrite-Host \"$sha\"\nif (-not [string]::IsNullOrWhiteSpace($sha))\n{\nStart-Process \"$git\" -ArgumentList \"checkout -- .\" -Wait -Verbose -ErrorAction Stop\nStart-Process \"$git\" -ArgumentList \"checkout $sha\" -Wait -Verbose -ErrorAction Stop\nWrite-Host \"Checked out at $sha\"\nbreak\n}\n}", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run CredScan", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "ea576cd4-c61f-48f8-97e7-a3cb07b90a6f", + "versionSpec": "2.*", + "definitionType": "task" + }, + "inputs": { + "outputFormat": "pre", + "toolVersion": "Latest", + "scanFolder": "$(Build.SourcesDirectory)", + "searchersFileType": "Default", + "searchersFile": "", + "suppressionsFile": "", + "suppressAsError": "false", + "batchSize": "" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run PoliCheck", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "d785890c-0d0d-46bd-8167-8fa9d49990c7", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "inputType": "Basic", + "cmdLineArgs": "/F:$(Build.SourcesDirectory) /T:9 /O:PoliCheck.xml", + "targetType": "F", + "targetArgument": "$(Build.SourcesDirectory)", + "importEx": "0", + "termTypeT": "0029a9", + "termTypeTCustom": "9", + "termTypeK": "", + "termTypeL": "", + "EXGT": "false", + "result": "PoliCheck.xml", + "optionsFC": "1", + "optionsXS": "1", + "optionsCTGLEN": "", + "optionsSEV": "", + "optionsPE": "", + "optionsHMENABLE": "", + "optionsHPATH": "", + "optionsHVER": "", + "optionsRulesDBPath": "", + "optionsRule": "", + "optionsXCLASS": "", + "optionsTASKNAME": "", + "optionsWORKINGDIRECTORY": "", + "optionsFTPATH": "", + "optionsD": "", + "optionsB1": "", + "optionsB2": "", + "optionsB3": "", + "optionsOCDB": "", + "toolVersion": "Latest" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Post Analysis", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "f5679091-e6da-4974-a8dc-0eec03a8ea63", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "APIScan": "true", + "BinScope": "false", + "BinSkim": "true", + "BinSkimBreakOn": "Error", + "CredScan": "true", + "FortifySCA": "false", + "FxCop": "false", + "FxCopBreakOn": "ErrorAbove", + "ModernCop": "false", + "ModernCopBreakOn": "Error", + "PoliCheck": "true", + "PoliCheckBreakOn": "Severity1", + "SDLNativeRules": "false" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Publish Security Analysis Logs", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "4096c760-3a8a-435d-9689-88c0311bbc0e", + "versionSpec": "2.*", + "definitionType": "task" + }, + "inputs": { + "ArtifactName": "CodeAnalysisLogs", + "ArtifactType": "Container", + "TargetPath": "\\\\my\\share\\$(Build.DefinitionName)\\$(Build.BuildNumber)", + "RvName": "", + "ProductComponentName": "", + "ProductVersionNumber": "", + "PlatformName": "", + "SDLToolName": "", + "SDLToolResultFile": "" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "TSA upload to Codebase: DotNet-CoreFx-Trusted_master Stamp: Azure", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "3da26988-bb64-4a23-8f06-45531d297dae", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "codebase": "NewOrUpdate", + "tsaStamp": "Azure", + "tsaWebApiUrl": "$(TSAStamp)", + "codeBaseName": "DotNet-CoreFx-Trusted_master", + "notificationAlias": "dncsec@microsoft.com", + "codeBaseAdmins": "NORTHAMERICA\\raeda", + "instanceUrlAzure": "MSAZURE", + "instanceUrlDevDiv": "DEVDIV", + "projectNameMSAZURE": "One", + "projectNameIDENTITYDIVISION": "", + "projectNameDEVDIV": "DevDiv", + "areaPath": "One\\DevDiv\\DotNetCore", + "iterationPath": "One", + "uploadAPIScan": "true", + "uploadBinScope": "false", + "uploadBinSkim": "true", + "uploadCredScan": "true", + "uploadFortifySCA": "false", + "uploadFxCop": "false", + "uploadModernCop": "false", + "uploadPoliCheck": "true", + "uploadPREfast": "false", + "validateToolOutput": "Warning", + "validateCompatibility": "Error", + "uploadAsync": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run clean.cmd", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "d9bafed4-0b18-4f58-968d-86655b4d2ce9", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "filename": "clean.cmd", + "arguments": "-all", + "workingFolder": "$(Build.SourcesDirectory)", + "failOnStandardError": "false" + } + } + ], + "options": [ + { + "enabled": false, + "definition": { + "id": "5bc3cfb7-6b54-4a4b-b5d2-a3905949f8a6" + }, + "inputs": {} + }, + { + "enabled": false, + "definition": { + "id": "7c555368-ca64-4199-add6-9ebaf0b0137d" + }, + "inputs": { + "multipliers": "[]", + "parallel": "false", + "continueOnError": "true", + "additionalFields": "{}" + } + }, + { + "enabled": false, + "definition": { + "id": "a9db38f9-9fdc-478c-b0f9-464221e58316" + }, + "inputs": { + "workItemType": "234347", + "assignToRequestor": "true", + "additionalFields": "{}" + } + }, + { + "enabled": false, + "definition": { + "id": "57578776-4c22-4526-aeb0-86b6da17ee9c" + }, + "inputs": {} + }, + { + "enabled": false, + "definition": { + "id": "5d58cc01-7c75-450c-be18-a388ddb129ec" + }, + "inputs": { + "branchFilters": "[\"+refs/heads/*\"]", + "additionalFields": "{}" + } + } + ], + "variables": { + "system.debug": { + "value": "false" + }, + "CorefxGitUrl": { + "value": "https://github.com/dotnet/corefx" + } + }, + "demands": [ + "Agent.OS -equals windows_nt", + "msbuild" + ], + "retentionRules": [ + { + "branches": [ + "+refs/heads/*" + ], + "artifacts": [ + "build.SourceLabel" + ], + "artifactTypesToDelete": [], + "daysToKeep": 10, + "minimumToKeep": 1, + "deleteBuildRecord": true, + "deleteTestResults": true + } + ], + "_links": { + "self": { + "href": "https://devdiv.visualstudio.com/0bdbc590-a062-4c3f-b0f6-9383f67865ee/_apis/build/Definitions/6389" + }, + "web": { + "href": "https://devdiv.visualstudio.com/_permalink/_build/index?collectionId=011b8bdf-6d56-4f87-be0d-0092136884d9&projectId=0bdbc590-a062-4c3f-b0f6-9383f67865ee&definitionId=6389" + }, + "editor": { + "href": "https://devdiv.visualstudio.com/_permalink/_build/definitionEditor?collectionId=011b8bdf-6d56-4f87-be0d-0092136884d9&projectId=0bdbc590-a062-4c3f-b0f6-9383f67865ee&definitionId=6389" + }, + "badge": { + "href": "https://devdiv.visualstudio.com/_apis/public/build/definitions/0bdbc590-a062-4c3f-b0f6-9383f67865ee/6389/badge" + } + }, + "buildNumberFormat": "$(date:yyyyMMdd)$(rev:-rr)", + "jobAuthorizationScope": 1, + "jobTimeoutInMinutes": 600, + "jobCancelTimeoutInMinutes": 5, + "badgeEnabled": true, + "repository": { + "properties": { + "cleanOptions": "3", + "labelSources": "0", + "labelSourcesFormat": "$(build.buildNumber)", + "reportBuildStatus": "true", + "gitLfsSupport": "false", + "skipSyncSource": "false", + "checkoutNestedSubmodules": "false", + "fetchDepth": "0" + }, + "id": "58fa2458-e392-4373-ba2b-dd3ef0c2d7ce", + "type": "TfsGit", + "name": "DotNet-CoreFX-Trusted", + "url": "https://devdiv.visualstudio.com/DevDiv/_git/DotNet-CoreFX-Trusted", + "defaultBranch": "refs/heads/master", + "clean": "true", + "checkoutSubmodules": false + }, + "processParameters": {}, + "quality": 1, + "authoredBy": { + "id": "9d5fdf9f-36b6-4d0c-a12e-2737a673af94", + "displayName": "Ravi Eda", + "uniqueName": "raeda@microsoft.com", + "url": "https://app.vssps.visualstudio.com/Aa44b2c06-f247-425c-8464-4a0676af910a/_apis/Identities/9d5fdf9f-36b6-4d0c-a12e-2737a673af94", + "imageUrl": "https://devdiv.visualstudio.com/_api/_common/identityImage?id=9d5fdf9f-36b6-4d0c-a12e-2737a673af94" + }, + "queue": { + "id": 36, + "name": "DotNet-Build", + "pool": { + "id": 39, + "name": "DotNet-Build" + } + }, + "id": 6389, + "name": "DotNet-CoreFx-Security-Windows", + "url": "https://devdiv.visualstudio.com/0bdbc590-a062-4c3f-b0f6-9383f67865ee/_apis/build/Definitions/6389", + "uri": "vstfs:///Build/Definition/6389", + "path": "\\", + "type": 2, + "revision": 152, + "createdDate": "2017-06-08T18:05:53.047Z", + "project": { + "id": "0bdbc590-a062-4c3f-b0f6-9383f67865ee", + "name": "DevDiv", + "description": "Visual Studio and DevDiv team project for git source code repositories. Work items will be added for Adams, Dev14 work items are tracked in vstfdevdiv. ", + "url": "https://devdiv.visualstudio.com/_apis/projects/0bdbc590-a062-4c3f-b0f6-9383f67865ee", + "state": "wellFormed", + "revision": 418097676, + "visibility": 0 + } +} diff --git a/buildpipeline/security/pipeline.json b/buildpipeline/security/pipeline.json new file mode 100644 index 0000000000..ebce69b6c2 --- /dev/null +++ b/buildpipeline/security/pipeline.json @@ -0,0 +1,22 @@ +{ + "Repository": "corefx", + "Definitions": { + "Path": ".", + "Type": "VSTS", + "BaseUrl": "https://devdiv.visualstudio.com/DefaultCollection", + "SkipBranchAndVersionOverrides": "false" + }, + "Pipelines": [ + { + "Name": "Security Build for Windows", + "Parameters": { + "TreatWarningsAsErrors": "false" + }, + "Definitions": [ + { + "Name": "DotNet-CoreFx-Security-Windows" + } + ] + } + ] +} |