NotificationsYou must be signed in to change notification settings
Fork7.7k
Star48k

Commit211c051

committed

Add CodeQL scanning to APIScan build (#24303)

* Enable CodeQL in the APIScan build* fix indentation* fix build name* Manually add CodeQL* enable TSA directly in codeql* update codeql source code directory* go back to version 0* switch to variable to configure source code root* Update .pipelines/apiscan-gen-notice.yml

1 parent32511eb commit211c051Copy full SHA for 211c051

File tree

2 files changed

+69

-31

lines changed

.pipelines
- apiscan-gen-notice.yml
- templates/compliance
  - apiscan.yml

2 files changed

+69

-31

lines changed

`‎.pipelines/apiscan-gen-notice.yml`

Lines changed: 29 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -1,8 +1,14 @@`
`1`	`1`	`# Copyright (c) Microsoft Corporation.`
`2`	`2`	`# Licensed under the MIT License.`
`3`		`-`
	`3`	`+name:apiscan-genNotice-$(BUILD.SOURCEBRANCHNAME)-$(Build.BuildId)`
`4`	`4`	`trigger:none`
`5`	`5`
	`6`	`+parameters:`
	`7`	`+ -name:FORCE_CODEQL`
	`8`	`+displayName:Debugging - Enable CodeQL and set cadence to 1 hour`
	`9`	`+type:boolean`
	`10`	`+default:false`
	`11`	`+`
`6`	`12`	`variables:`
`7`	`13`	`-name:ob_outputDirectory`
`8`	`14`	`value:'$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'`
`@@ -17,6 +23,24 @@ variables:`
`17`	`23`	`value:onebranch.azurecr.io/linux/ubuntu-2004:latest`
`18`	`24`	`-name:WindowsContainerImage`
`19`	`25`	`value:onebranch.azurecr.io/windows/ltsc2022/vse2022:latest`
	`26`	`+ -${{ if eq(parameters['FORCE_CODEQL'],'true') }}:`
	`27`	`+# Cadence is hours before CodeQL will allow a re-upload of the database`
	`28`	`+ -name:CodeQL.Cadence`
	`29`	`+value:0`
	`30`	`+ -name:CODEQL_ENABLED`
	`31`	`+${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}:`
	`32`	`+value:true`
	`33`	`+${{ else }}:`
	`34`	`+value:false`
	`35`	`+ -name:Codeql.TSAEnabled`
	`36`	`+value:$(CODEQL_ENABLED)`
	`37`	`+# AnalyzeInPipeline: false = upload results`
	`38`	`+# AnalyzeInPipeline: true = do not upload results`
	`39`	`+ -name:Codeql.AnalyzeInPipeline`
	`40`	`+${{ if or(eq(variables['Build.SourceBranch'], 'refs/heads/master'), eq(parameters['FORCE_CODEQL'],'true')) }}:`
	`41`	`+value:false`
	`42`	`+${{ else }}:`
	`43`	`+value:true`
`20`	`44`
`21`	`45`	`resources:`
`22`	`46`	`repositories:`
`@@ -32,8 +56,10 @@ extends:`
`32`	`56`	`WindowsHostVersion:`
`33`	`57`	`Version:2022`
`34`	`58`	`globalSdl:`
`35`		`-compiled:`
`36`		`-enabled:true`
	`59`	`+codeql:`
	`60`	`+compiled:`
	`61`	`+enabled:$(CODEQL_ENABLED)`
	`62`	`+tsaEnabled:$(CODEQL_ENABLED)# This enables TSA bug filing only for CodeQL 3000`
`37`	`63`	`armory:`
`38`	`64`	`enabled:false`
`39`	`65`	`sbom:`

`‎.pipelines/templates/compliance/apiscan.yml`

Lines changed: 40 additions & 28 deletions

Original file line number	Diff line number	Diff line change
`@@ -4,34 +4,36 @@`
`4`	`4`	`jobs:`
`5`	`5`	`-job:APIScan`
`6`	`6`	`variables:`
`7`		`- -name:runCodesignValidationInjection`
`8`		`-value:false`
`9`		`- -name:NugetSecurityAnalysisWarningLevel`
`10`		`-value:none`
`11`		`- -name:ReleaseTagVar`
`12`		`-value:fromBranch`
`13`		`-# Defines the variables APIScanClient, APIScanTenant and APIScanSecret`
`14`		`- -group:PS-PS-APIScan`
`15`		`-# PAT permissions NOTE: Declare a SymbolServerPAT variable in this group with a 'microsoft' organizanization scoped PAT with 'Symbols' Read permission.`
`16`		`-# A PAT in the wrong org will give a single Error 203. No PAT will give a single Error 401, and individual pdbs may be missing even if permissions are correct.`
`17`		`- -group:symbols`
`18`		`- -name:branchCounterKey`
`19`		`-value:$[format('{0:yyyyMMdd}-{1}', pipeline.startTime,variables['Build.SourceBranch'])]`
`20`		`- -name:branchCounter`
`21`		`-value:$[counter(variables['branchCounterKey'], 1)]`
`22`		`- -group:DotNetPrivateBuildAccess`
`23`		`- -group:Azure Blob variable group`
`24`		`- -group:ReleasePipelineSecrets`
`25`		`- -group:mscodehub-feed-read-general`
`26`		`- -group:mscodehub-feed-read-akv`
`27`		`- -name:ob_outputDirectory`
`28`		`-value:'$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'`
`29`		`- -name:repoRoot`
`30`		`-value:'$(Build.SourcesDirectory)\PowerShell'`
`31`		`- -name:ob_sdl_tsa_configFile`
`32`		`-value:$(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json`
`33`		`- -name:ob_sdl_credscan_suppressionsFile`
`34`		`-value:$(Build.SourcesDirectory)\PowerShell\.config\suppress.json`
	`7`	`+ -name:runCodesignValidationInjection`
	`8`	`+value:false`
	`9`	`+ -name:NugetSecurityAnalysisWarningLevel`
	`10`	`+value:none`
	`11`	`+ -name:ReleaseTagVar`
	`12`	`+value:fromBranch`
	`13`	`+# Defines the variables APIScanClient, APIScanTenant and APIScanSecret`
	`14`	`+ -group:PS-PS-APIScan`
	`15`	`+# PAT permissions NOTE: Declare a SymbolServerPAT variable in this group with a 'microsoft' organizanization scoped PAT with 'Symbols' Read permission.`
	`16`	`+# A PAT in the wrong org will give a single Error 203. No PAT will give a single Error 401, and individual pdbs may be missing even if permissions are correct.`
	`17`	`+ -group:symbols`
	`18`	`+ -name:branchCounterKey`
	`19`	`+value:$[format('{0:yyyyMMdd}-{1}', pipeline.startTime,variables['Build.SourceBranch'])]`
	`20`	`+ -name:branchCounter`
	`21`	`+value:$[counter(variables['branchCounterKey'], 1)]`
	`22`	`+ -group:DotNetPrivateBuildAccess`
	`23`	`+ -group:Azure Blob variable group`
	`24`	`+ -group:ReleasePipelineSecrets`
	`25`	`+ -group:mscodehub-feed-read-general`
	`26`	`+ -group:mscodehub-feed-read-akv`
	`27`	`+ -name:ob_outputDirectory`
	`28`	`+value:'$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT'`
	`29`	`+ -name:repoRoot`
	`30`	`+value:'$(Build.SourcesDirectory)\PowerShell'`
	`31`	`+ -name:ob_sdl_tsa_configFile`
	`32`	`+value:$(Build.SourcesDirectory)\PowerShell\.config\tsaoptions.json`
	`33`	`+ -name:ob_sdl_credscan_suppressionsFile`
	`34`	`+value:$(Build.SourcesDirectory)\PowerShell\.config\suppress.json`
	`35`	`+ -name:Codeql.SourceRoot`
	`36`	`+value:$(repoRoot)`
`35`	`37`
`36`	`38`	`pool:`
`37`	`39`	`type:windows`
`@@ -119,6 +121,12 @@ jobs:`
`119`	`121`	`workingDirectory: '$(repoRoot)'`
`120`	`122`	`condition: succeededOrFailed()`
`121`	`123`
	`124`	`+ -task:CodeQL3000Init@0# Add CodeQL Init task right before your 'Build' step.`
	`125`	`+displayName:🔏 CodeQL 3000 Init`
	`126`	`+condition:eq(variables['CODEQL_ENABLED'], 'true')`
	`127`	`+inputs:`
	`128`	`+Language:csharp`
	`129`	`+`
`122`	`130`	`-pwsh:\|`
`123`	`131`	`Import-Module .\build.psm1 -force`
`124`	`132`	`Find-DotNet`
`@@ -136,6 +144,10 @@ jobs:`
`136`	`144`	`workingDirectory: '$(repoRoot)'`
`137`	`145`	`displayName: 'Build PowerShell Source'`
`138`	`146`
	`147`	`+ -task:CodeQL3000Finalize@0# Add CodeQL Finalize task right after your 'Build' step.`
	`148`	`+displayName:🔏 CodeQL 3000 Finalize`
	`149`	`+condition:eq(variables['CODEQL_ENABLED'], 'true')`
	`150`	`+`
`139`	`151`	`-pwsh:\|`
`140`	`152`	`Get-ChildItem -Path env: \| Out-String -width 9999 -Stream \| write-Verbose -Verbose`
`141`	`153`	`workingDirectory: '$(repoRoot)'`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit211c051

File tree

2 files changed

2 files changed

`‎.pipelines/apiscan-gen-notice.yml`

`‎.pipelines/templates/compliance/apiscan.yml`

0 commit comments