Skip to content

Commit 42efe9a

Browse files
vzarytovskiivzarytovskii
committed
align with 17.12
2 parents fd29258 + e11d707 commit 42efe9a

File tree

5 files changed

+433
-0
lines changed

5 files changed

+433
-0
lines changed

eng/common/templates-official/steps/execute-sdl.yml

Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
parameters:
2+
overrideGuardianVersion: ''
3+
executeAllSdlToolsScript: ''
4+
overrideParameters: ''
5+
additionalParameters: ''
6+
publishGuardianDirectoryToPipeline: false
7+
sdlContinueOnError: false
8+
condition: ''
9+
10+
steps:
11+
- task: NuGetAuthenticate@1
12+
13+
- task: NuGetToolInstaller@1
14+
displayName: 'Install NuGet.exe'
15+
16+
- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
17+
- pwsh: |
18+
Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
19+
. .\sdl.ps1
20+
$guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts -Version ${{ parameters.overrideGuardianVersion }}
21+
Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
22+
displayName: Install Guardian (Overridden)
23+
24+
- ${{ if eq(parameters.overrideGuardianVersion, '') }}:
25+
- pwsh: |
26+
Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
27+
. .\sdl.ps1
28+
$guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts
29+
Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
30+
displayName: Install Guardian
31+
32+
- ${{ if ne(parameters.overrideParameters, '') }}:
33+
- powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
34+
displayName: Execute SDL (Overridden)
35+
continueOnError: ${{ parameters.sdlContinueOnError }}
36+
condition: ${{ parameters.condition }}
37+
38+
- ${{ if eq(parameters.overrideParameters, '') }}:
39+
- powershell: ${{ parameters.executeAllSdlToolsScript }}
40+
-GuardianCliLocation $(GuardianCliLocation)
41+
-NugetPackageDirectory $(Build.SourcesDirectory)\.packages
42+
-AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
43+
${{ parameters.additionalParameters }}
44+
displayName: Execute SDL
45+
continueOnError: ${{ parameters.sdlContinueOnError }}
46+
condition: ${{ parameters.condition }}
47+
48+
- ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
49+
# We want to publish the Guardian results and configuration for easy diagnosis. However, the
50+
# '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
51+
# tooling files. Some of these files are large and aren't useful during an investigation, so
52+
# exclude them by simply deleting them before publishing. (As of writing, there is no documented
53+
# way to selectively exclude a dir from the pipeline artifact publish task.)
54+
- task: DeleteFiles@1
55+
displayName: Delete Guardian dependencies to avoid uploading
56+
inputs:
57+
SourceFolder: $(Agent.BuildDirectory)/.gdn
58+
Contents: |
59+
c
60+
i
61+
condition: succeededOrFailed()
62+
63+
- publish: $(Agent.BuildDirectory)/.gdn
64+
artifact: GuardianConfiguration
65+
displayName: Publish GuardianConfiguration
66+
condition: succeededOrFailed()
67+
68+
# Publish the SARIF files in a container named CodeAnalysisLogs to enable integration
69+
# with the "SARIF SAST Scans Tab" Azure DevOps extension
70+
- task: CopyFiles@2
71+
displayName: Copy SARIF files
72+
inputs:
73+
flattenFolders: true
74+
sourceFolder: $(Agent.BuildDirectory)/.gdn/rc/
75+
contents: '**/*.sarif'
76+
targetFolder: $(Build.SourcesDirectory)/CodeAnalysisLogs
77+
condition: succeededOrFailed()
78+
79+
# Use PublishBuildArtifacts because the SARIF extension only checks this case
80+
# see microsoft/sarif-azuredevops-extension#4
81+
- task: PublishBuildArtifacts@1
82+
displayName: Publish SARIF files to CodeAnalysisLogs container
83+
inputs:
84+
pathToPublish: $(Build.SourcesDirectory)/CodeAnalysisLogs
85+
artifactName: CodeAnalysisLogs
86+
condition: succeededOrFailed()

eng/common/templates/steps/execute-sdl.yml

Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
parameters:
2+
overrideGuardianVersion: ''
3+
executeAllSdlToolsScript: ''
4+
overrideParameters: ''
5+
additionalParameters: ''
6+
publishGuardianDirectoryToPipeline: false
7+
sdlContinueOnError: false
8+
condition: ''
9+
10+
steps:
11+
- task: NuGetAuthenticate@1
12+
13+
- task: NuGetToolInstaller@1
14+
displayName: 'Install NuGet.exe'
15+
16+
- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
17+
- pwsh: |
18+
Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
19+
. .\sdl.ps1
20+
$guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts -Version ${{ parameters.overrideGuardianVersion }}
21+
Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
22+
displayName: Install Guardian (Overridden)
23+
24+
- ${{ if eq(parameters.overrideGuardianVersion, '') }}:
25+
- pwsh: |
26+
Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
27+
. .\sdl.ps1
28+
$guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts
29+
Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
30+
displayName: Install Guardian
31+
32+
- ${{ if ne(parameters.overrideParameters, '') }}:
33+
- powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
34+
displayName: Execute SDL (Overridden)
35+
continueOnError: ${{ parameters.sdlContinueOnError }}
36+
condition: ${{ parameters.condition }}
37+
env:
38+
GUARDIAN_DEFAULT_PACKAGE_SOURCE_SECRET: $(System.AccessToken)
39+
40+
- ${{ if eq(parameters.overrideParameters, '') }}:
41+
- powershell: ${{ parameters.executeAllSdlToolsScript }}
42+
-GuardianCliLocation $(GuardianCliLocation)
43+
-NugetPackageDirectory $(Build.SourcesDirectory)\.packages
44+
${{ parameters.additionalParameters }}
45+
displayName: Execute SDL
46+
continueOnError: ${{ parameters.sdlContinueOnError }}
47+
condition: ${{ parameters.condition }}
48+
env:
49+
GUARDIAN_DEFAULT_PACKAGE_SOURCE_SECRET: $(System.AccessToken)
50+
51+
- ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
52+
# We want to publish the Guardian results and configuration for easy diagnosis. However, the
53+
# '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
54+
# tooling files. Some of these files are large and aren't useful during an investigation, so
55+
# exclude them by simply deleting them before publishing. (As of writing, there is no documented
56+
# way to selectively exclude a dir from the pipeline artifact publish task.)
57+
- task: DeleteFiles@1
58+
displayName: Delete Guardian dependencies to avoid uploading
59+
inputs:
60+
SourceFolder: $(Agent.BuildDirectory)/.gdn
61+
Contents: |
62+
c
63+
i
64+
condition: succeededOrFailed()
65+
66+
- publish: $(Agent.BuildDirectory)/.gdn
67+
artifact: GuardianConfiguration
68+
displayName: Publish GuardianConfiguration
69+
condition: succeededOrFailed()
70+
71+
# Publish the SARIF files in a container named CodeAnalysisLogs to enable integration
72+
# with the "SARIF SAST Scans Tab" Azure DevOps extension
73+
- task: CopyFiles@2
74+
displayName: Copy SARIF files
75+
inputs:
76+
flattenFolders: true
77+
sourceFolder: $(Agent.BuildDirectory)/.gdn/rc/
78+
contents: '**/*.sarif'
79+
targetFolder: $(Build.SourcesDirectory)/CodeAnalysisLogs
80+
condition: succeededOrFailed()
81+
82+
# Use PublishBuildArtifacts because the SARIF extension only checks this case
83+
# see microsoft/sarif-azuredevops-extension#4
84+
- task: PublishBuildArtifacts@1
85+
displayName: Publish SARIF files to CodeAnalysisLogs container
86+
inputs:
87+
pathToPublish: $(Build.SourcesDirectory)/CodeAnalysisLogs
88+
artifactName: CodeAnalysisLogs
89+
condition: succeededOrFailed()

0 commit comments

Comments
 (0)