maxmustermann/PowerShell
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
PowerShell/tools/releaseBuild/azureDevOps/templates/compliance.yml
Andrew Schwartzmeyer 2671776cec
Explicitly set targetArgument for TermCheck 
The `optionsXS` flag defaults to 1 (to enable recursion). What's missing
is the target argument, our sources directory. (It's probably defaulting
to the given value, but we can explicit about this.) We just need to not
override `optionsXS` as we were previously doing with 0 to disable
recursion.
2021-09-01 17:53:20 -07:00

158 lines
4.6 KiB
YAML
Raw Blame History

parameters:
parentJobs: []
jobs:
- job: compliance
variables:
- name: runCodesignValidationInjection
value : false
- name: NugetSecurityAnalysisWarningLevel
value: none
# Defines the variables APIScanClient, APIScanTenant and APIScanSecret
- group: PS-PS-APIScan
displayName: Compliance
dependsOn:
${{ parameters.parentJobs }}
pool:
name: PowerShell1ES
demands:
- ImageOverride -equals MMS2019
# APIScan can take a long time
timeoutInMinutes: 180
steps:
- checkout: self
clean: true
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
- task: DownloadBuildArtifacts@0
displayName: 'Download artifacts'
inputs:
buildType: current
downloadType: single
artifactName: results
downloadPath: '$(System.ArtifactsDirectory)'
- powershell: |
dir "$(System.ArtifactsDirectory)\*" -Recurse
displayName: 'Capture artifacts directory'
continueOnError: true
- template: expand-compliance.yml
parameters:
architecture: fxdependent
version: $(version)
- template: expand-compliance.yml
parameters:
architecture: x86
version: $(version)
- template: expand-compliance.yml
parameters:
architecture: x64
version: $(version)
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'
- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2
displayName: 'Run CredScan'
inputs:
suppressionsFile: tools/credScan/suppress.json
debugMode: false
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
displayName: 'Run BinSkim '
inputs:
InputType: Basic
AnalyzeTarget: '$(CompliancePath)\*.dll;$(CompliancePath)\*.exe'
AnalyzeSymPath: 'SRV*'
AnalyzeVerbose: true
AnalyzeHashes: true
AnalyzeStatistics: true
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
displayName: 'Run PoliCheck'
inputs:
targetType: F
targetArgument: '$(Build.SourcesDirectory)'
optionsFC: 0
optionsPE: '1|2|3|4'
optionsHMENABLE: 0
optionsRulesDBPath: '$(Build.SourcesDirectory)\tools\terms\PowerShell-Terms-Rules.mdb'
optionsUEPath: $(Build.SourcesDirectory)\tools\terms\TermsExclusion.xml
continueOnError: true
# add RoslynAnalyzers
- task: securedevelopmentteam.vss-secure-development-tools.build-task-autoapplicability.AutoApplicability@1
displayName: 'Run AutoApplicability'
inputs:
ExternalRelease: true
IsSoftware: true
DataSensitivity: lbi
continueOnError: true
# add codeMetrics
- task: securedevelopmentteam.vss-secure-development-tools.build-task-vulnerabilityassessment.VulnerabilityAssessment@0
displayName: 'Run Vulnerability Assessment'
continueOnError: true
# FXCop is not applicable
# PreFASt is not applicable
- task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@2
displayName: 'Run APIScan'
inputs:
softwareFolder: '$(CompliancePath)'
softwareName: PowerShell
softwareVersionNum: '$(ReleaseTagVar)'
isLargeApp: false
preserveTempFiles: true
env:
AzureServicesAuthConnectionString: RunAs=App;AppId=$(APIScanClient);TenantId=$(APIScanTenant);AppKey=$(APIScanSecret)
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
displayName: 'Publish Security Analysis Logs to Build Artifacts'
continueOnError: true
- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
displayName: 'TSA upload to Codebase: PowerShellCore_201906'
inputs:
tsaVersion: TsaV2
codeBaseName: 'PowerShellCore_201906'
uploadFortifySCA: false
uploadFxCop: false
uploadModernCop: false
uploadPREfast: false
uploadRoslyn: false
uploadTSLint: false
- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
displayName: 'Create Security Analysis Report'
inputs:
TsvFile: false
APIScan: true
BinSkim: true
CredScan: true
PoliCheck: true
PoliCheckBreakOn: Severity2Above
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
snapshotForceEnabled: true
Reference in a new issue View git blame Copy permalink