add compliance pipeline (#130289)

Adding SDL compliance pipeline
2021-08-09 07:37:21 -07:00 · 2021-08-09 07:37:21 -07:00 · c0f739ea25
parent c00e89d9ae
commit c0f739ea25
3 changed files with 350 additions and 0 deletions
--- a/build/azure-pipelines/.gdntsa
+++ b/build/azure-pipelines/.gdntsa
@ -0,0 +1,21 @@
+{
+    "codebaseName": "vscode-client",
+    "ppe": false,
+    "notificationAliases": [
+        "sbatten@microsoft.com"
+    ],
+    "codebaseAdmins": [
+        "REDMOND\\stbatt",
+        "REDMOND\\monacotools",
+    ],
+    "instanceUrl": "https://msazure.visualstudio.com/defaultcollection",
+    "projectName": "One",
+    "areaPath": "One\\VSCode\\Client",
+    "iterationPath": "One",
+    "notifyAlways": true,
+    "tools": [
+        "BinSkim",
+        "CredScan",
+        "CodeQL"
+    ]
+}
--- a/build/azure-pipelines/sdl-scan.yml
+++ b/build/azure-pipelines/sdl-scan.yml
@ -0,0 +1,225 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: ENABLE_TERRAPIN
+    displayName: "Enable Terrapin"
+    type: boolean
+    default: true
+  - name: SCAN_WINDOWS
+    displayName: "Scan Windows"
+    type: boolean
+    default: true
+  - name: SCAN_LINUX
+    displayName: "Scan Linux"
+    type: boolean
+    default: false
+
+variables:
+  - name: ENABLE_TERRAPIN
+    value: ${{ eq(parameters.ENABLE_TERRAPIN, true) }}
+  - name: SCAN_WINDOWS
+    value: ${{ eq(parameters.SCAN_WINDOWS, true) }}
+  - name: SCAN_LINUX
+    value: ${{ eq(parameters.SCAN_LINUX, true) }}
+  - name: VSCODE_MIXIN_REPO
+    value: microsoft/vscode-distro
+  - name: skipComponentGovernanceDetection
+    value: true
+  - name: NPM_ARCH
+    value: x64
+  - name: VSCODE_ARCH
+    value: x64
+
+stages:
+- stage: Windows
+  condition: eq(variables.SCAN_WINDOWS, 'true')
+  pool:
+    vmImage: VS2017-Win2016
+  jobs:
+    - job: WindowsJob
+      timeoutInMinutes: 0
+      steps:
+      - task: CredScan@3
+        continueOnError: true
+        inputs:
+          scanFolder: '$(Build.SourcesDirectory)'
+          outputFormat: 'pre'
+      - task: NodeTool@0
+        inputs:
+          versionSpec: "14.x"
+
+      - task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
+        inputs:
+          versionSpec: "1.x"
+
+      - task: AzureKeyVault@1
+        displayName: "Azure Key Vault: Get Secrets"
+        inputs:
+          azureSubscription: "vscode-builds-subscription"
+          KeyVaultName: vscode
+          SecretsFilter: "github-distro-mixin-password,ESRP-SSL-AADAuth,vscode-storage-key,builds-docdb-key-readwrite"
+
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          "machine github.com`nlogin vscode`npassword $(github-distro-mixin-password)" | Out-File "$env:USERPROFILE\_netrc" -Encoding ASCII
+
+          exec { git config user.email "vscode@microsoft.com" }
+          exec { git config user.name "VSCode" }
+        displayName: Prepare tooling
+
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          exec { git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro") }
+        displayName: Merge distro
+
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          exec { npx https://aka.ms/enablesecurefeed standAlone }
+        timeoutInMinutes: 5
+        condition: and(succeeded(), eq(variables['ENABLE_TERRAPIN'], 'true'))
+        displayName: Switch to Terrapin packages
+
+      - task: Semmle@1
+        inputs:
+          sourceCodeDirectory: '$(Build.SourcesDirectory)'
+          language: 'cpp'
+          buildCommandsString: 'yarn --frozen-lockfile'
+          querySuite: 'Required'
+          timeout: '1800'
+          ram: '16384'
+          addProjectDirToScanningExclusionList: true
+        env:
+          npm_config_arch: "$(NPM_ARCH)"
+          npm_config_build_from_source: true
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+        displayName: CodeQL
+
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          . build/azure-pipelines/win32/retry.ps1
+          $ErrorActionPreference = "Stop"
+          $env:npm_config_arch="$(NPM_ARCH)"
+          $env:npm_config_build_from_source="true"
+          $env:CHILD_CONCURRENCY="1"
+          retry { exec { yarn --frozen-lockfile } }
+        env:
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+        displayName: Install dependencies
+
+      - powershell: |
+          . build/azure-pipelines/win32/exec.ps1
+          $ErrorActionPreference = "Stop"
+          exec { yarn gulp "vscode-symbols-win32-$(VSCODE_ARCH)" }
+        displayName: Download Symbols
+
+      - task: BinSkim@4
+        inputs:
+          InputType: 'Basic'
+          Function: 'analyze'
+          TargetPattern: 'guardianGlob'
+          AnalyzeTargetGlob: '$(agent.builddirectory)\scanbin\**.dll;$(agent.builddirectory)\scanbin\**.exe;$(agent.builddirectory)\scanbin\**.node'
+          AnalyzeLocalSymbolDirectories: '$(agent.builddirectory)\scanbin\VSCode-win32-$(VSCODE_ARCH)\pdb'
+          
+      - task: TSAUpload@2
+        inputs:
+          GdnPublishTsaOnboard: true
+          GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\build\azure-pipelines\.gdntsa'
+
+- stage: Linux
+  dependsOn: []
+  condition: eq(variables.SCAN_LINUX, 'true')
+  pool:
+    vmImage: "Ubuntu-18.04"
+  jobs:
+    - job: LinuxJob
+      steps:
+      - task: CredScan@2
+        inputs:
+          toolMajorVersion: 'V2'
+      - task: NodeTool@0
+        inputs:
+          versionSpec: "14.x"
+
+      - task: geeklearningio.gl-vsts-tasks-yarn.yarn-installer-task.YarnInstaller@2
+        inputs:
+          versionSpec: "1.x"
+
+      - task: AzureKeyVault@1
+        displayName: "Azure Key Vault: Get Secrets"
+        inputs:
+          azureSubscription: "vscode-builds-subscription"
+          KeyVaultName: vscode
+          SecretsFilter: "github-distro-mixin-password,ESRP-SSL-AADAuth,vscode-storage-key,builds-docdb-key-readwrite"
+
+      - script: |
+          set -e
+          cat << EOF > ~/.netrc
+          machine github.com
+          login vscode
+          password $(github-distro-mixin-password)
+          EOF
+
+          git config user.email "vscode@microsoft.com"
+          git config user.name "VSCode"
+        displayName: Prepare tooling
+
+      - script: |
+          set -e
+          git pull --no-rebase https://github.com/$(VSCODE_MIXIN_REPO).git $(node -p "require('./package.json').distro")
+        displayName: Merge distro
+
+      - script: |
+          set -e
+          npx https://aka.ms/enablesecurefeed standAlone
+        timeoutInMinutes: 5
+        condition: and(succeeded(), ne(variables.NODE_MODULES_RESTORED, 'true'), eq(variables['ENABLE_TERRAPIN'], 'true'))
+        displayName: Switch to Terrapin packages
+
+      - script: |
+          set -e
+          export npm_config_arch=$(NPM_ARCH)
+          export npm_config_build_from_source=true
+
+          if [ -z "$CC" ] || [ -z "$CXX" ]; then
+            export CC=$(which gcc-5)
+            export CXX=$(which g++-5)
+          fi
+
+          if [ "$VSCODE_ARCH" == "x64" ]; then
+            export VSCODE_REMOTE_CC=$(which gcc-4.8)
+            export VSCODE_REMOTE_CXX=$(which g++-4.8)
+          fi
+
+          for i in {1..3}; do # try 3 times, for Terrapin
+            yarn --frozen-lockfile && break
+            if [ $i -eq 3 ]; then
+              echo "Yarn failed too many times" >&2
+              exit 1
+            fi
+            echo "Yarn failed $i, trying again..."
+          done
+        env:
+          PLAYWRIGHT_SKIP_BROWSER_DOWNLOAD: 1
+          GITHUB_TOKEN: "$(github-distro-mixin-password)"
+        displayName: Install dependencies
+
+      - script: |
+          set -e
+          yarn gulp vscode-symbols-linux-$(VSCODE_ARCH)
+        displayName: Build
+
+      - task: BinSkim@3
+        inputs:
+          toolVersion: Latest
+          InputType:   CommandLine
+          arguments:   analyze $(agent.builddirectory)\scanbin\exe\*.* --recurse --local-symbol-directories $(agent.builddirectory)\scanbin\VSCode-linux-$(VSCODE_ARCH)\pdb
+
+      - task: TSAUpload@2
+        inputs:
+          GdnPublishTsaConfigFile: '$(Build.SourceDirectory)\build\azure-pipelines\.gdntsa'
--- a/build/gulpfile.scan.js
+++ b/build/gulpfile.scan.js
@ -0,0 +1,104 @@
+/*---------------------------------------------------------------------------------------------
+ *  Copyright (c) Microsoft Corporation. All rights reserved.
+ *  Licensed under the MIT License. See License.txt in the project root for license information.
+ *--------------------------------------------------------------------------------------------*/
+
+'use strict';
+
+const gulp = require('gulp');
+const path = require('path');
+const task = require('./lib/task');
+const util = require('./lib/util');
+const _ = require('underscore');
+const electron = require('gulp-atom-electron');
+const { config } = require('./lib/electron');
+const filter = require('gulp-filter');
+const deps = require('./lib/dependencies');
+
+const root = path.dirname(__dirname);
+
+const BUILD_TARGETS = [
+	{ platform: 'win32', arch: 'ia32' },
+	{ platform: 'win32', arch: 'x64' },
+	{ platform: 'win32', arch: 'arm64' },
+	{ platform: 'darwin', arch: null, opts: { stats: true } },
+	{ platform: 'linux', arch: 'ia32' },
+	{ platform: 'linux', arch: 'x64' },
+	{ platform: 'linux', arch: 'armhf' },
+	{ platform: 'linux', arch: 'arm64' },
+];
+
+BUILD_TARGETS.forEach(buildTarget => {
+	const dashed = (str) => (str ? `-${str}` : ``);
+	const platform = buildTarget.platform;
+	const arch = buildTarget.arch;
+
+	const destinationExe = path.join(path.dirname(root), 'scanbin', `VSCode${dashed(platform)}${dashed(arch)}`, 'bin');
+	const destinationPdb = path.join(path.dirname(root), 'scanbin', `VSCode${dashed(platform)}${dashed(arch)}`, 'pdb');
+
+	const tasks = [];
+
+	// removal tasks
+	tasks.push(util.rimraf(destinationExe), util.rimraf(destinationPdb));
+
+	// electron
+	tasks.push(() => electron.dest(destinationExe, _.extend({}, config, { platform, arch: arch === 'armhf' ? 'arm' : arch })));
+
+	// pdbs for windows
+	if (platform === 'win32') {
+		tasks.push(
+			() => electron.dest(destinationPdb, _.extend({}, config, { platform, arch: arch === 'armhf' ? 'arm' : arch, pdbs: true })),
+			util.rimraf(path.join(destinationExe, 'swiftshader')),
+			util.rimraf(path.join(destinationExe, 'd3dcompiler_47.dll')));
+	}
+
+	if (platform === 'linux') {
+		tasks.push(
+			() => electron.dest(destinationPdb, _.extend({}, config, { platform, arch: arch === 'armhf' ? 'arm' : arch, symbols: true }))
+		);
+	}
+
+	// node modules
+	tasks.push(
+		nodeModules(destinationExe, destinationPdb, platform)
+	);
+
+	const setupSymbolsTask = task.define(`vscode-symbols${dashed(platform)}${dashed(arch)}`,
+		task.series(...tasks)
+	);
+
+	gulp.task(setupSymbolsTask);
+});
+
+function nodeModules(destinationExe, destinationPdb, platform) {
+	const productionDependencies = deps.getProductionDependencies(root);
+	const dependenciesSrc = _.flatten(productionDependencies.map(d => path.relative(root, d.path)).map(d => [`${d}/**`, `!${d}/**/{test,tests}/**`]));
+
+	const exe = () => {
+		return gulp.src(dependenciesSrc, { base: '.', dot: true })
+			.pipe(filter(['**/*.node']))
+			.pipe(gulp.dest(destinationExe));
+	};
+
+	if (platform === 'win32') {
+		const pdb = () => {
+			return gulp.src(dependenciesSrc, { base: '.', dot: true })
+				.pipe(filter(['**/*.pdb']))
+				.pipe(gulp.dest(destinationPdb));
+		};
+
+		return gulp.parallel(exe, pdb);
+	}
+
+	if (platform === 'linux') {
+		const pdb = () => {
+			return gulp.src(dependenciesSrc, { base: '.', dot: true })
+				.pipe(filter(['**/*.sym']))
+				.pipe(gulp.dest(destinationPdb));
+		};
+
+		return gulp.parallel(exe, pdb);
+	}
+
+	return exe;
+}