dotnet · MichaelSimons · Nov 10, 2022 · Nov 9, 2022 · Nov 9, 2022 · Nov 9, 2022
diff --git a/eng/common/sdl/sdl.ps1 b/eng/common/sdl/sdl.ps1
@@ -0,0 +1,38 @@
+
+function Install-Gdn {
+    param(
+        [Parameter(Mandatory=$true)]
+        [string]$Path,
+
+        # If omitted, install the latest version of Guardian, otherwise install that specific version.
+        [string]$Version
+    )
+
+    $ErrorActionPreference = 'Stop'
+    Set-StrictMode -Version 2.0
+    $disableConfigureToolsetImport = $true
+    $global:LASTEXITCODE = 0
+
+    # `tools.ps1` checks $ci to perform some actions. Since the SDL
+    # scripts don't necessarily execute in the same agent that run the
+    # build.ps1/sh script this variable isn't automatically set.
+    $ci = $true
+    . $PSScriptRoot\..\tools.ps1
+
+    $argumentList = @("install", "Microsoft.Guardian.Cli", "-Source https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json", "-OutputDirectory $Path", "-NonInteractive", "-NoCache")
+
+    if ($Version) {
+        $argumentList += "-Version $Version"
+    }
+
+    Start-Process nuget -Verbose -ArgumentList $argumentList -NoNewWindow -Wait
+
+    $gdnCliPath = Get-ChildItem -Filter guardian.cmd -Recurse -Path $Path
+
+    if (!$gdnCliPath)
+    {
+        Write-PipelineTelemetryError -Category 'Sdl' -Message 'Failure installing Guardian'
+    }
+
+    return $gdnCliPath.FullName
+}
diff --git a/eng/common/templates/steps/execute-sdl.yml b/eng/common/templates/steps/execute-sdl.yml
@@ -8,29 +8,28 @@ parameters:
   condition: ''
 
 steps:
-- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
-  - powershell: |
-      $content = Get-Content $(GuardianPackagesConfigFile)
-
-      Write-Host "packages.config content was:`n$content"
-
-      $content = $content.Replace('$(DefaultGuardianVersion)', '$(GuardianVersion)')
-      $content | Set-Content $(GuardianPackagesConfigFile)
-
-      Write-Host "packages.config content updated to:`n$content"
-    displayName: Use overridden Guardian version ${{ parameters.overrideGuardianVersion }}
+- task: NuGetAuthenticate@1
+  inputs:
+    nuGetServiceConnections: GuardianConnect
 
 - task: NuGetToolInstaller@1
   displayName: 'Install NuGet.exe'
 
-- task: NuGetCommand@2
-  displayName: 'Install Guardian'
-  inputs:
-    restoreSolution: $(Build.SourcesDirectory)\eng\common\sdl\packages.config
-    feedsToUse: config
-    nugetConfigPath: $(Build.SourcesDirectory)\eng\common\sdl\NuGet.config
-    externalFeedCredentials: GuardianConnect
-    restoreDirectory: $(Build.SourcesDirectory)\.packages
+- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
+  - pwsh: |
+      Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
+      . .\sdl.ps1
+      $guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts -Version ${{ parameters.overrideGuardianVersion }}
+      Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
+    displayName: Install Guardian (Overridden)
+
+- ${{ if eq(parameters.overrideGuardianVersion, '') }}:
+  - pwsh: |
+      Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
+      . .\sdl.ps1
+      $guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts
+      Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
+    displayName: Install Guardian
 
 - ${{ if ne(parameters.overrideParameters, '') }}:
   - powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
@@ -40,7 +39,7 @@ steps:
 
 - ${{ if eq(parameters.overrideParameters, '') }}:
   - powershell: ${{ parameters.executeAllSdlToolsScript }}
-      -GuardianPackageName Microsoft.Guardian.Cli.$(GuardianVersion)
+      -GuardianCliLocation $(GuardianCliLocation)
       -NugetPackageDirectory $(Build.SourcesDirectory)\.packages
       -AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
       ${{ parameters.additionalParameters }}
@@ -62,7 +61,28 @@ steps:
         c
         i
     condition: succeededOrFailed()
+
   - publish: $(Agent.BuildDirectory)/.gdn
     artifact: GuardianConfiguration
     displayName: Publish GuardianConfiguration
+    condition: succeededOrFailed()
+
+  # Publish the SARIF files in a container named CodeAnalysisLogs to enable integration
+  # with the "SARIF SAST Scans Tab" Azure DevOps extension
+  - task: CopyFiles@2
+    displayName: Copy SARIF files
+    inputs:
+      flattenFolders: true
+      sourceFolder:  $(Agent.BuildDirectory)/.gdn/rc/
+      contents: '**/*.sarif'
+      targetFolder: $(Build.SourcesDirectory)/CodeAnalysisLogs
+    condition: succeededOrFailed()
+
+  # Use PublishBuildArtifacts because the SARIF extension only checks this case
+  # see microsoft/sarif-azuredevops-extension#4
+  - task: PublishBuildArtifacts@1
+    displayName: Publish SARIF files to CodeAnalysisLogs container
+    inputs:
+      pathToPublish:  $(Build.SourcesDirectory)/CodeAnalysisLogs
+      artifactName: CodeAnalysisLogs
     condition: succeededOrFailed()
diff --git a/src/SourceBuild/Arcade/eng/common/templates/job/source-build-run-tarball-build.yml b/src/SourceBuild/Arcade/eng/common/templates/job/source-build-run-tarball-build.yml
@@ -84,22 +84,19 @@ jobs:
         ${{ else }}:
           ${{ parameters.poolInternalAmd64 }}
 
-- ${{ if eq(variables['System.TeamProject'], 'internal') }}:
+- ${{ if and(eq(variables['System.TeamProject'], 'internal'), ne(variables['Build.Reason'], 'PullRequest')) }}:
   - template: /src/SourceBuild/Arcade/eng/common/templates/job/source-build-build-tarball.yml
     parameters:
       architecture: arm64
       dependsOn: ${{ parameters.dependsOn }}
-      ${{ if in(variables['Build.Reason'], 'PullRequest') }}:
-        excludeSdkContentTests: true
       installerBuildResourceId: ${{ parameters.installerBuildResourceId }}
       matrix:
-        ${{ if ne(variables['Build.Reason'], 'PullRequest') }}:
-          Debian9-Offline:
-            _BootstrapPrep: true
-            _Container: ${{ parameters.debian9Arm64Container }}
-            _EnablePoison: false
-            _ExcludeOmniSharpTests: false
-            _RunOnline: false
+        Debian9-Offline:
+          _BootstrapPrep: true
+          _Container: ${{ parameters.debian9Arm64Container }}
+          _EnablePoison: false
+          _ExcludeOmniSharpTests: false
+          _RunOnline: false
       name: Build_Tarball_arm64
       pool: ${{ parameters.poolInternalArm64 }}
 

diff --git a/src/SourceBuild/Arcade/src/SourceBuild.Tasks.csproj b/src/SourceBuild/Arcade/src/SourceBuild.Tasks.csproj
@@ -1,6 +1,6 @@
 <Project Sdk="Microsoft.NET.Sdk">
   <PropertyGroup>
-    <TargetFrameworks>net5.0</TargetFrameworks>
+    <TargetFrameworks>net6.0</TargetFrameworks>
     <EnableDefaultCompileItems>false</EnableDefaultCompileItems>
     <RunAnalyzers>false</RunAnalyzers>
     <Nullable>disable</Nullable>

diff --git a/src/SourceBuild/Arcade/tools/BuildTasks.props b/src/SourceBuild/Arcade/tools/BuildTasks.props
@@ -2,6 +2,6 @@
 <!-- Licensed to the .NET Foundation under one or more agreements. The .NET Foundation licenses this file to you under the MIT license. -->
 <Project>
   <PropertyGroup>
-    <SourceBuildTasksAssembly>$(RepoRoot)\artifacts\bin\SourceBuild.Tasks\$(Configuration)\net5.0\SourceBuild.Tasks.dll</SourceBuildTasksAssembly>
+    <SourceBuildTasksAssembly>$(RepoRoot)\artifacts\bin\SourceBuild.Tasks\$(Configuration)\net6.0\SourceBuild.Tasks.dll</SourceBuildTasksAssembly>
   </PropertyGroup>
 </Project>
diff --git a/src/SourceBuild/tarball/content/repos/fsharp.proj b/src/SourceBuild/tarball/content/repos/fsharp.proj
@@ -27,6 +27,7 @@
 
   <ItemGroup>
     <UseSourceBuiltSdkOverride Include="@(ArcadeSdkOverride)" />
+    <EnvironmentVariables Include="CheckEolTargetFramework=false" />
   </ItemGroup>
 
   <Import Project="Sdk.targets" Sdk="Microsoft.NET.Sdk" />

diff --git a/...and-unsafe-paths-to-be-able-to-appl.patch → ...and-unsafe-paths-to-be-able-to-appl.patch b/...and-unsafe-paths-to-be-able-to-appl.patch → ...and-unsafe-paths-to-be-able-to-appl.patch