From 9820cc10673e271bcfbf7a33425aef40cc0f1577 Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Wed, 1 Mar 2023 16:03:25 -0800
Subject: [PATCH 1/8] Update Binskim and follow warnings

---
 templates/static-tools.yml | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index b3ce2b11de..fe70835845 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -37,18 +37,8 @@ jobs:
         AnalyzeStatistics:  false
         AnalyzeEnvironment: false
 
-  #Analyze source code for type of content and target types to help determine which tools to run
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-autoapplicability.AutoApplicability@1
-    displayName: 'AutoApplicability'
-    inputs:
-      VerboseWriter: true
-      ExternalRelease: true
-      InternalRelease: true
-      IsService: true
-      IsSoftware: true
-
   # Analyze source and build output text files for credentials
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@4
     displayName: 'CredScan'
     inputs:
       toolMajorVersion: V2

From 2865792b7859c215025c022f96b4380619df4dc0 Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Wed, 1 Mar 2023 16:10:28 -0800
Subject: [PATCH 2/8] Fixing task

---
 templates/static-tools.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index fe70835845..0076c51c09 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -23,7 +23,7 @@ jobs:
       arguments: '-p:Optimize=true -p:IsPreview=true --configuration Release'
       versioningScheme: OFF
 
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@3
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4
     displayName: 'BinSkim'
     inputs:
         toolVersion:        Latest
@@ -38,7 +38,7 @@ jobs:
         AnalyzeEnvironment: false
 
   # Analyze source and build output text files for credentials
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@4
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
     displayName: 'CredScan'
     inputs:
       toolMajorVersion: V2

From 01efbc5f6d890053fffc6b6aa2d5a3301a0704fa Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Wed, 1 Mar 2023 16:41:06 -0800
Subject: [PATCH 3/8] More version bumps

---
 templates/static-tools.yml | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index 0076c51c09..605ae97121 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -48,22 +48,18 @@ jobs:
       verboseOutput: false
 
   # Scan text elements including code, code comments, and content/web pages, for sensitive terms based on legal, cultural, or geopolitical reasons
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
     displayName: 'PoliCheck'
     inputs:
       targetType: F
 
   # AntiMalware scan
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@4
     displayName: 'AntiMalware'
     continueOnError: true # signature refresh failing resulting in tasks failures
     inputs:
       EnableServices: true
 
-  # Run checks for recently discovered vulnerabilities which are not yet incorporated to another tool
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-vulnerabilityassessment.VulnerabilityAssessment@0
-    displayName: 'Vulnerability Assessment'
-
   - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
     displayName: 'Component Governance Detection' #https://docs.opensource.microsoft.com/tools/cg.html
     inputs:
@@ -71,11 +67,11 @@ jobs:
       failOnAlert: true
 
   # Publish Analysis Results (position after all tools ran)
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
     displayName: 'Publish Security Analysis Logs'
 
   # The Post-Analysis build task will analyze the log files produced by the tools, and introduce a build break
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
+  - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
     displayName: 'Post Analysis'
     inputs:
       AllTools: true

From 98229fbaec09c777929c6dd53f0674a86b057772 Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Thu, 2 Mar 2023 08:03:53 -0800
Subject: [PATCH 4/8] binskim args

---
 templates/static-tools.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index 605ae97121..a09fad93ad 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -26,10 +26,7 @@ jobs:
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4
     displayName: 'BinSkim'
     inputs:
-        toolVersion:        Latest
-        InputType:          Basic
-        Function:           analyze
-        AnalyzeTarget:      $(Build.SourcesDirectory)\Microsoft.Azure.Cosmos\src\bin\Release\netstandard2.0\Microsoft.Azure.Cosmos.Client.dll
+        AnalyzeTargetGlob:      $(Build.SourcesDirectory)\Microsoft.Azure.Cosmos\src\bin\Release\netstandard2.0\Microsoft.Azure.Cosmos.Client.dll
         AnalyzeConfigPath:  default
         AnalyzeRecurse:     true
         AnalyzeVerbose:     true

From c27d91f1a0ee3f05669e47bd5b665c076c4f0b29 Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Thu, 2 Mar 2023 08:04:16 -0800
Subject: [PATCH 5/8] Padding

---
 templates/static-tools.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index a09fad93ad..cb11d68d68 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -26,8 +26,7 @@ jobs:
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4
     displayName: 'BinSkim'
     inputs:
-        AnalyzeTargetGlob:      $(Build.SourcesDirectory)\Microsoft.Azure.Cosmos\src\bin\Release\netstandard2.0\Microsoft.Azure.Cosmos.Client.dll
-        AnalyzeConfigPath:  default
+        AnalyzeTargetGlob:  $(Build.SourcesDirectory)\Microsoft.Azure.Cosmos\src\bin\Release\netstandard2.0\Microsoft.Azure.Cosmos.Client.dll
         AnalyzeRecurse:     true
         AnalyzeVerbose:     true
         AnalyzeHashes:      false

From f5ef3f683c3aa15410a707836632eba562bf4ab0 Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Thu, 2 Mar 2023 08:59:16 -0800
Subject: [PATCH 6/8] policheck

---
 templates/static-tools.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index cb11d68d68..b1a7bcf645 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -48,6 +48,7 @@ jobs:
     displayName: 'PoliCheck'
     inputs:
       targetType: F
+      optionsFC: 0
 
   # AntiMalware scan
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@4

From 20398b3138a329f1c3db510132c1ad54cf3f5aba Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Thu, 2 Mar 2023 09:19:21 -0800
Subject: [PATCH 7/8] postanalysis parameters

---
 templates/static-tools.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index b1a7bcf645..5ba07be075 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -71,4 +71,6 @@ jobs:
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
     displayName: 'Post Analysis'
     inputs:
-      AllTools: true
+      GdnBreakFast: true
+      GdnBreakPolicyMinSev: Default
+      GdnBreakAllTools: true

From 9dd46e4da8cfba69d9ed39b51f95fe79d2f363d3 Mon Sep 17 00:00:00 2001
From: Matias Quaranta <ealsur@hotmail.com>
Date: Thu, 2 Mar 2023 10:18:23 -0800
Subject: [PATCH 8/8] analysis settings

---
 templates/static-tools.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/templates/static-tools.yml b/templates/static-tools.yml
index 5ba07be075..fb7b375586 100644
--- a/templates/static-tools.yml
+++ b/templates/static-tools.yml
@@ -72,5 +72,8 @@ jobs:
     displayName: 'Post Analysis'
     inputs:
       GdnBreakFast: true
-      GdnBreakPolicyMinSev: Default
-      GdnBreakAllTools: true
+      GdnBreakAllTools: false
+      GdnBreakGdnToolCredScan: true
+      GdnBreakGdnToolBinSkim: true
+      GdnBreakGdnToolPoliCheck: true
+      GdnBreakGdnToolPoliCheckSeverity: Error