diff --git a/build-tools/automation/azure-pipelines.yaml b/build-tools/automation/azure-pipelines.yaml index 0ca96a500ec..8f0cd6df4ac 100644 --- a/build-tools/automation/azure-pipelines.yaml +++ b/build-tools/automation/azure-pipelines.yaml @@ -452,12 +452,73 @@ stages: - dotnet_prepare_release condition: and(eq(variables['MicroBuildSignType'], 'Real'), eq(dependencies.dotnet_prepare_release.result, 'Succeeded')) jobs: - - template: compliance/sbom/job.v1.yml@yaml-templates - parameters: - artifactNames: [ nuget-signed, nuget-linux-signed, vs-msi-nugets, vsdrop-signed ] - packageName: xamarin-android - packageFilter: '*.nupkg;*.msi' - GitHub.Token: $(GitHub.Token) + - job: sbom + displayName: Generate SBOM + timeoutInMinutes: 60 + pool: + name: AzurePipelines-EO + demands: + - ImageOverride -equals AzurePipelinesWindows2022compliant + variables: + Packaging.EnableSBOMSigning: true + workspace: + clean: all + steps: + - checkout: self + submodules: recursive + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: nuget-signed + downloadPath: $(Build.StagingDirectory)\packages + patterns: '*.nupkg' + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: nuget-linux-signed + downloadPath: $(Build.StagingDirectory)\packages + patterns: '*.nupkg' + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: $(WindowsToolchainPdbArtifactName) + downloadPath: $(Build.StagingDirectory)\packages + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: vs-msi-nugets + downloadPath: $(Build.StagingDirectory)\packages + patterns: '*.nupkg' + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: vsdrop-signed + downloadPath: $(Build.StagingDirectory)\packages + patterns: '*.msi' + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: vsdrop-multitarget-signed + downloadPath: $(Build.StagingDirectory)\packages + patterns: '*.msi' + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: sbom-components-macos + downloadPath: $(Build.StagingDirectory)\sbom\components-macos + + - task: DownloadPipelineArtifact@2 + inputs: + artifactName: sbom-components-linux + downloadPath: $(Build.StagingDirectory)\sbom\components-linux + + - template: compliance/sbom/scan.v1.yml@yaml-templates + parameters: + dropDirectory: $(Build.StagingDirectory)\packages + componentsDirectory: $(Build.StagingDirectory)\sbom + manifestDirectory: $(Build.StagingDirectory)\sbom + packageName: .NET Android + packageVersionRegex: '(?i)^Microsoft.*\.(?\d+\.\d+\.\d+(-.*)?\.\d+).nupkg$' # Check - "Xamarin.Android (Compliance)" - template: security/full/v0.yml@yaml-templates diff --git a/build-tools/automation/yaml-templates/build-linux.yaml b/build-tools/automation/yaml-templates/build-linux.yaml index 9e684725b90..12ea459a70e 100644 --- a/build-tools/automation/yaml-templates/build-linux.yaml +++ b/build-tools/automation/yaml-templates/build-linux.yaml @@ -85,6 +85,29 @@ stages: artifactName: ${{ parameters.nugetArtifactName }} targetPath: $(System.DefaultWorkingDirectory)/xamarin-android/bin/Build$(XA.Build.Configuration)/nuget-linux + - powershell: | + [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/empty") + [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/sbom-components") + displayName: create SBOM directories + condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) + + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: generate components SBOM + condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) + inputs: + BuildDropPath: $(Build.StagingDirectory)/empty + BuildComponentPath: $(System.DefaultWorkingDirectory)/xamarin-android + ManifestDirPath: $(Build.StagingDirectory)/sbom-components + PackageName: .NET Android + Verbosity: Verbose + + - task: PublishBuildArtifacts@1 + displayName: publish components SBOM + condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) + inputs: + artifactName: sbom-components-linux + pathToPublish: $(Build.StagingDirectory)/sbom-components + - template: upload-results.yaml parameters: xaSourcePath: $(System.DefaultWorkingDirectory)/xamarin-android diff --git a/build-tools/automation/yaml-templates/build-macos.yaml b/build-tools/automation/yaml-templates/build-macos.yaml index 363f840c229..919fa4d419e 100644 --- a/build-tools/automation/yaml-templates/build-macos.yaml +++ b/build-tools/automation/yaml-templates/build-macos.yaml @@ -60,6 +60,29 @@ stages: parameters: condition: and(succeededOrFailed(), eq(variables['MicroBuildSignType'], 'Real')) + - powershell: | + [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/empty") + [IO.Directory]::CreateDirectory("$(Build.StagingDirectory)/sbom-components") + displayName: create SBOM directories + condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) + + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: generate components SBOM + condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) + inputs: + BuildDropPath: $(Build.StagingDirectory)/empty + BuildComponentPath: $(System.DefaultWorkingDirectory)/xamarin-android + ManifestDirPath: $(Build.StagingDirectory)/sbom-components + PackageName: .NET Android + Verbosity: Verbose + + - task: PublishBuildArtifacts@1 + displayName: publish components SBOM + condition: and(succeeded(), eq(variables['MicroBuildSignType'], 'Real')) + inputs: + artifactName: sbom-components-macos + pathToPublish: $(Build.StagingDirectory)/sbom-components + - script: > mkdir -p $(System.DefaultWorkingDirectory)/xamarin-android/bin/Build$(XA.Build.Configuration)/windows-toolchain-pdb && cd $(System.DefaultWorkingDirectory)/xamarin-android/bin/$(XA.Build.Configuration)/lib/packs/Microsoft.Android.Sdk.Darwin/*/tools/binutils/windows-toolchain-pdb &&