From ac7f12709c524f99837fb0df035d1a4300158979 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 19 Dec 2023 16:42:07 -0700 Subject: [PATCH 01/11] Add ApiScan to nightly build --- .../automation/azure-pipelines-nightly.yaml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 4370dc175d1..b23f7ad7aab 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -48,6 +48,8 @@ stages: - group: xamops-azdev-secrets - name: Codeql.Enabled value: true + - name: ApiScan.Enabled + value: true steps: - checkout: self submodules: recursive @@ -56,6 +58,35 @@ stages: parameters: makeMSBuildArgs: /p:EnableNativeAnalyzers=true + ### Copy .dll and .pdb files for APIScan + - task: CopyFiles@2 + displayName: Collect Files for APIScan + inputs: + Contents: | + $(System.DefaultWorkingDirectory)/xamarin-android/bin/Release/dotnet/packs/Microsoft.Android*/**/?(*.dll|*.pdb) + TargetFolder: $(Build.StagingDirectory)/apiscan + OverWrite: true + flattenFolders: true + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + + - script: find $(Build.StagingDirectory)/apiscan + displayName: List Files for APIScan + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + + ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task + - task: APIScan@2 + displayName: Run APIScan + inputs: + softwareFolder: $(Build.StagingDirectory)/apiscan + symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)/apiscan' + softwareName: $(ApiScanName) + softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)-$(Rev:r) + isLargeApp: true + toolVersion: Latest + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + env: + AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) + - template: yaml-templates/upload-results.yaml parameters: xaSourcePath: $(System.DefaultWorkingDirectory)/xamarin-android From d8d7311e6baa987570a7690a5753af5eae4cad92 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 19 Dec 2023 16:43:18 -0700 Subject: [PATCH 02/11] Update branch condition --- build-tools/automation/azure-pipelines-nightly.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index b23f7ad7aab..1d50245e1a0 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -67,11 +67,11 @@ stages: TargetFolder: $(Build.StagingDirectory)/apiscan OverWrite: true flattenFolders: true - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) - script: find $(Build.StagingDirectory)/apiscan displayName: List Files for APIScan - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task - task: APIScan@2 @@ -83,7 +83,7 @@ stages: softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)-$(Rev:r) isLargeApp: true toolVersion: Latest - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) env: AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) From 08936621f002ff34a2d46b973b9356a5a204260e Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 19 Dec 2023 16:47:17 -0700 Subject: [PATCH 03/11] Run nightly build on internal macos images --- build-tools/automation/azure-pipelines-nightly.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 1d50245e1a0..d9516b26bcd 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -37,8 +37,8 @@ stages: - job: mac_build_create_installers displayName: macOS > Create Installers pool: - name: VSEng-Xamarin-RedmondMac-Android-Untrusted - demands: macOS.Name -equals Monterey + name: Azure Pipelines + vmImage: internal-macos12 timeoutInMinutes: 420 workspace: clean: all From 9b6ea5b64262e4d03b27690fca1cc79db396b25a Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Dec 2023 10:55:45 -0700 Subject: [PATCH 04/11] Test copy earlier --- build-tools/automation/azure-pipelines-nightly.yaml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index d9516b26bcd..cff42be4695 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -54,16 +54,11 @@ stages: - checkout: self submodules: recursive - - template: yaml-templates/commercial-build.yaml - parameters: - makeMSBuildArgs: /p:EnableNativeAnalyzers=true - ### Copy .dll and .pdb files for APIScan - task: CopyFiles@2 displayName: Collect Files for APIScan inputs: - Contents: | - $(System.DefaultWorkingDirectory)/xamarin-android/bin/Release/dotnet/packs/Microsoft.Android*/**/?(*.dll|*.pdb) + Contents: $(System.DefaultWorkingDirectory)/xamarin-android/build-*/**/?(*.props|*.targets) TargetFolder: $(Build.StagingDirectory)/apiscan OverWrite: true flattenFolders: true @@ -73,6 +68,10 @@ stages: displayName: List Files for APIScan condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + - template: yaml-templates/commercial-build.yaml + parameters: + makeMSBuildArgs: /p:EnableNativeAnalyzers=true + ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task - task: APIScan@2 displayName: Run APIScan From f906cf6d1e5e2112a530b0fd0f8e2b1f64d5b053 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Dec 2023 11:10:24 -0700 Subject: [PATCH 05/11] Fix pack path --- build-tools/automation/azure-pipelines-nightly.yaml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index cff42be4695..171b2293bbc 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -54,11 +54,15 @@ stages: - checkout: self submodules: recursive + - template: yaml-templates/commercial-build.yaml + parameters: + makeMSBuildArgs: /p:EnableNativeAnalyzers=true + ### Copy .dll and .pdb files for APIScan - task: CopyFiles@2 displayName: Collect Files for APIScan inputs: - Contents: $(System.DefaultWorkingDirectory)/xamarin-android/build-*/**/?(*.props|*.targets) + Contents: $(System.DefaultWorkingDirectory)/xamarin-android/bin/Release/lib/packs/Microsoft.Android*/**/?(*.dll|*.pdb) TargetFolder: $(Build.StagingDirectory)/apiscan OverWrite: true flattenFolders: true @@ -68,10 +72,6 @@ stages: displayName: List Files for APIScan condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) - - template: yaml-templates/commercial-build.yaml - parameters: - makeMSBuildArgs: /p:EnableNativeAnalyzers=true - ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task - task: APIScan@2 displayName: Run APIScan From 2967698e6a1c855fc7d0f91322f2d84e97819f21 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Dec 2023 14:32:06 -0700 Subject: [PATCH 06/11] Run APIScan in separate windows job --- .../automation/azure-pipelines-nightly.yaml | 80 ++++++++++++------- 1 file changed, 52 insertions(+), 28 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 171b2293bbc..3ceab1e39e0 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -58,34 +58,6 @@ stages: parameters: makeMSBuildArgs: /p:EnableNativeAnalyzers=true - ### Copy .dll and .pdb files for APIScan - - task: CopyFiles@2 - displayName: Collect Files for APIScan - inputs: - Contents: $(System.DefaultWorkingDirectory)/xamarin-android/bin/Release/lib/packs/Microsoft.Android*/**/?(*.dll|*.pdb) - TargetFolder: $(Build.StagingDirectory)/apiscan - OverWrite: true - flattenFolders: true - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) - - - script: find $(Build.StagingDirectory)/apiscan - displayName: List Files for APIScan - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) - - ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task - - task: APIScan@2 - displayName: Run APIScan - inputs: - softwareFolder: $(Build.StagingDirectory)/apiscan - symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)/apiscan' - softwareName: $(ApiScanName) - softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)-$(Rev:r) - isLargeApp: true - toolVersion: Latest - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) - env: - AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) - - template: yaml-templates/upload-results.yaml parameters: xaSourcePath: $(System.DefaultWorkingDirectory)/xamarin-android @@ -310,3 +282,55 @@ stages: artifactName: Test Results - Localization With Emulator - macOS-$(System.JobPositionInPhase) - template: yaml-templates/fail-on-issue.yaml + + +- stage: compliance_scan + displayName: Compliance + dependsOn: mac_build + jobs: + - job: api_scan + displayName: API Scan + pool: + name: Azure Pipelines + vmImage: windows-2022 + timeoutInMinutes: 180 + workspace: + clean: all + variables: + - name: ApiScan.Enabled + value: true + steps: + - template: yaml-templates/setup-test-environment.yaml + parameters: + installApkDiff: false + installLegacyDotNet: false + restoreNUnitConsole: false + updateMono: false + + ### Copy .dll and .pdb files for APIScan + - task: CopyFiles@2 + displayName: Collect Files for APIScan + inputs: + Contents: $(System.DefaultWorkingDirectory)\xamarin-android\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.pdb) + TargetFolder: $(Build.StagingDirectory)\apiscan + OverWrite: true + flattenFolders: true + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + + - pwsh: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse + displayName: List Files for APIScan + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + + ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task + - task: APIScan@2 + displayName: Run APIScan + inputs: + softwareFolder: $(Build.StagingDirectory)\apiscan + symbolsFolder: 'SRV*http://symweb;$(Build.StagingDirectory)\apiscan' + softwareName: $(ApiScanName) + softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)-$(Rev:r) + isLargeApp: true + toolVersion: Latest + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + env: + AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) From ab7a9b3fc1082b03f73efeed21484707bf1ae11d Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Dec 2023 14:37:25 -0700 Subject: [PATCH 07/11] Revert build pool change --- build-tools/automation/azure-pipelines-nightly.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 3ceab1e39e0..5d2e3ef909b 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -37,8 +37,8 @@ stages: - job: mac_build_create_installers displayName: macOS > Create Installers pool: - name: Azure Pipelines - vmImage: internal-macos12 + name: VSEng-Xamarin-RedmondMac-Android-Untrusted + demands: macOS.Name -equals Monterey timeoutInMinutes: 420 workspace: clean: all @@ -48,8 +48,6 @@ stages: - group: xamops-azdev-secrets - name: Codeql.Enabled value: true - - name: ApiScan.Enabled - value: true steps: - checkout: self submodules: recursive From 0367206deeae6d824cf8c6c0c5addf46508912a9 Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 20 Dec 2023 15:19:28 -0700 Subject: [PATCH 08/11] Fix copy path --- build-tools/automation/azure-pipelines-nightly.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 5d2e3ef909b..f732d5dba67 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -309,7 +309,7 @@ stages: - task: CopyFiles@2 displayName: Collect Files for APIScan inputs: - Contents: $(System.DefaultWorkingDirectory)\xamarin-android\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.pdb) + Contents: $(System.DefaultWorkingDirectory)\bin\$(XA.Build.Configuration)\dotnet\packs\Microsoft.Android*\**\?(*.dll|*.pdb) TargetFolder: $(Build.StagingDirectory)\apiscan OverWrite: true flattenFolders: true From 7595c3ea0a1bd1529db7f1613e87541f9dc24bca Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Thu, 21 Dec 2023 09:57:52 -0700 Subject: [PATCH 09/11] bump timeout --- build-tools/automation/azure-pipelines-nightly.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index f732d5dba67..153770fdda6 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -291,7 +291,7 @@ stages: pool: name: Azure Pipelines vmImage: windows-2022 - timeoutInMinutes: 180 + timeoutInMinutes: 480 workspace: clean: all variables: From 8eb3db3951d724efcfc7a535ec4611205db2c29b Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Tue, 2 Jan 2024 15:18:15 -0800 Subject: [PATCH 10/11] Add guardian post build actions --- .../automation/azure-pipelines-nightly.yaml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 153770fdda6..44515cbee20 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -332,3 +332,25 @@ stages: condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) env: AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) + + - task: SdtReport@2 + displayName: Guardian Export - Security Report + inputs: + GdnExportAllTools: false + GdnExportGdnToolApiScan: true + GdnExportOutputSuppressionFile: source.gdnsuppress + + - task: PublishSecurityAnalysisLogs@3 + displayName: Publish Guardian Artifacts + inputs: + ArtifactName: APIScan Logs + ArtifactType: Container + AllTools: false + APIScan: true + ToolLogsNotFoundAction: Warning + + - task: PostAnalysis@2 + displayName: Fail Build on Guardian Issues + inputs: + GdnBreakAllTools: false + GdnBreakGdnToolApiScan: true From 73ec4923f9a4b9b874b11ae9d79dbe1bab88726e Mon Sep 17 00:00:00 2001 From: Peter Collins Date: Wed, 3 Jan 2024 10:43:16 -0800 Subject: [PATCH 11/11] Fix conditions --- build-tools/automation/azure-pipelines-nightly.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/build-tools/automation/azure-pipelines-nightly.yaml b/build-tools/automation/azure-pipelines-nightly.yaml index 44515cbee20..bbf13e27974 100644 --- a/build-tools/automation/azure-pipelines-nightly.yaml +++ b/build-tools/automation/azure-pipelines-nightly.yaml @@ -313,11 +313,11 @@ stages: TargetFolder: $(Build.StagingDirectory)\apiscan OverWrite: true flattenFolders: true - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) - pwsh: Get-ChildItem -Path "$(Build.StagingDirectory)\apiscan" -Recurse displayName: List Files for APIScan - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) ### Run latest version of APIScan listed at https://www.1eswiki.com/wiki/APIScan_Build_Task - task: APIScan@2 @@ -329,7 +329,7 @@ stages: softwareVersionNum: $(Build.SourceBranchName)-$(Build.SourceVersion)-$(Rev:r) isLargeApp: true toolVersion: Latest - condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/dev/pjc/nightly-apiscan')) + condition: and(succeeded(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) env: AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret) @@ -339,6 +339,7 @@ stages: GdnExportAllTools: false GdnExportGdnToolApiScan: true GdnExportOutputSuppressionFile: source.gdnsuppress + condition: and(succeededOrFailed(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) - task: PublishSecurityAnalysisLogs@3 displayName: Publish Guardian Artifacts @@ -348,9 +349,11 @@ stages: AllTools: false APIScan: true ToolLogsNotFoundAction: Warning + condition: and(succeededOrFailed(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main')) - task: PostAnalysis@2 displayName: Fail Build on Guardian Issues inputs: GdnBreakAllTools: false GdnBreakGdnToolApiScan: true + condition: and(succeededOrFailed(), eq(variables['ApiScan.Enabled'], 'true'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))