From 4591bda0d9fda516b7a448ff3283b5e5427620ee Mon Sep 17 00:00:00 2001 From: Ravi Eda Date: Wed, 21 Jun 2017 21:32:08 -0500 Subject: [PATCH] Add security build definitions. Commit migrated from --- .../DotNet-Core-Setup-Security-Windows.json | 568 +++++++++++++++++++++ src/installer/buildpipeline/security/dir.props | 4 + src/installer/buildpipeline/security/pipeline.json | 22 + .../buildpipeline/security/syncAzure.proj | 20 + .../buildpipeline/security/syncAzure.targets | 29 ++ 5 files changed, 643 insertions(+) create mode 100644 src/installer/buildpipeline/security/DotNet-Core-Setup-Security-Windows.json create mode 100644 src/installer/buildpipeline/security/dir.props create mode 100644 src/installer/buildpipeline/security/pipeline.json create mode 100644 src/installer/buildpipeline/security/syncAzure.proj create mode 100644 src/installer/buildpipeline/security/syncAzure.targets diff --git a/src/installer/buildpipeline/security/DotNet-Core-Setup-Security-Windows.json b/src/installer/buildpipeline/security/DotNet-Core-Setup-Security-Windows.json new file mode 100644 index 0000000..1f8b65e --- /dev/null +++ b/src/installer/buildpipeline/security/DotNet-Core-Setup-Security-Windows.json @@ -0,0 +1,568 @@ +{ + "build": [ + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run clean.cmd", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "d9bafed4-0b18-4f58-968d-86655b4d2ce9", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "filename": "clean.cmd", + "arguments": "-all", + "workingFolder": "$(Build.SourcesDirectory)", + "failOnStandardError": "false" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "Download Packages", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "c6c4c611-aa2e-4a33-b606-5eaba2196824", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "solution": "$(Build.SourcesDirectory)\\buildpipeline\\security\\syncAzure.proj", + "msbuildLocationMethod": "version", + "msbuildVersion": "15.0", + "msbuildArchitecture": "x64", + "msbuildLocation": "", + "platform": "x64", + "configuration": "$(BuildConfiguration)", + "msbuildArguments": "/p:AzureAccount=\"$(PB_CloudDropAccountName)\" /p:AzureToken=\"$(PB_CloudDropAccessToken)\" /p:BlobName=\"$(PB_BlobName)\" /verbosity:diag", + "clean": "false", + "maximumCpuCount": "false", + "restoreNugetPackages": "false", + "logProjectEvents": "false", + "createLogFile": "false" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Extract downloaded nupkgs", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$secDir = Join-Path \"$SrcDir\" \"security\"\n$pkgDir = \"$SrcDir\\packages\\AzureTransfer\"\ngci \"$pkgDir\\*.nupkg\" | rename-item -newname { [io.path]::ChangeExtension($, \"zip\") }\ngci \"$pkgDir\\*.zip\" | % {\n$dstDir = Join-Path \"$secDir\" $($_.BaseName)\nExpand-Archive -Path $($_.FullName) -DestinationPath \"$dstDir\" -Force\n}\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "List all files", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$fileCount = 0\ngci $SrcDir -recurse | % {\nWrite-Host $($_.FullName)\n$fileCount += 1\n}\nWrite-Host \"File Count: $fileCount\"\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Remove files other than DLLs, PDBs and TXT", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$secDir = Join-Path \"$SrcDir\" \"security\"\n$extList = \".dll\", \".pdb\", \".txt\"\ngci $secDir -Recurse | where { !$_.PSIsContainer } | % {\nif ($extList -inotcontains $_.Extension)\n{\n rm $_.FullName -Force -ErrorAction SilentlyContinue\n Write-Host \"Removed $($_.FullName)\"\n}\n}\n\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Workaround for long path - DELETE files with path length greater than or equal to 240 characters", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$longPath = New-Object System.Collections.ArrayList\ngci \"$SrcDir\\*\" -recurse | where {!$_.PSIsContainer} | % {\nif ($($_.FullName.Length) -ge 240)\n{\n$longPath.Add($($_.Directory.FullName)) | Out-Null\n}\n}\n$longPath | % {\nStart-Process \"cmd\" -ArgumentList \"/c rd /S /Q $_\" -Wait\nWrite-Host \"DELETED $_\"\n}\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "List all files - post delete", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory)", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir)\n$fileCount = 0\ngci $SrcDir -recurse | % {\nWrite-Host $($_.FullName)\n$fileCount += 1\n}\nWrite-Host \"File Count: $fileCount\"\n", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run BinSkim ", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "3056813a-40e9-4b2f-8f6b-612d1bc4e045", + "versionSpec": "3.*", + "definitionType": "task" + }, + "inputs": { + "InputType": "CommandLine", + "arguments": "analyze security\\*.dll --recurse --sympath security\\*.pdb --verbose --statistics", + "Function": "analyze", + "AnalyzeTarget": "$(Build.ArtifactStagingDirectory)", + "AnalyzeSymPath": "", + "AnalyzeConfigPath": "default", + "AnalyzePluginPath": "", + "AnalyzeRecurse": "true", + "AnalyzeVerbose": "true", + "AnalyzeHashes": "true", + "AnalyzeStatistics": "false", + "AnalyzeEnvironment": "false", + "ExportRulesOutputType": "SARIF", + "DumpTarget": "$(Build.ArtifactStagingDirectory)", + "DumpRecurse": "true", + "DumpVerbose": "true", + "toolVersion": "Latest" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run APIScan", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "9adea2b1-3752-438c-80c6-a6f0a812abdd", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "targetMode": "binarysym", + "softwareFolder": "$(Build.SourcesDirectory)\\security", + "mpdFolder": "", + "softwareName": "Core-Setup", + "softwareVersionNum": "$(PB_BuildNumber)", + "softwareBuildNum": "$(PB_BuildNumber)", + "modeType": "prerelease", + "noCopySymbols": "false", + "noCopyBinaries": "false", + "noDecompress": "true", + "exclusionList": "", + "email": "", + "symbolsFolder": "$(Build.SourcesDirectory)\\security", + "preBbtBinariesFolder": "", + "preBbtSymbolsFolder": "", + "isLargeApp": "false", + "analyzerTimeout": "00:00:00", + "preserveTempFiles": "false", + "toolVersion": "Latest" + } + }, + { + "enabled": true, + "continueOnError": false, + "alwaysRun": false, + "displayName": "git checkout", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "e213ff0f-5d5c-4791-802d-52ea3e7be1f1", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "scriptType": "inlineScript", + "scriptName": "", + "arguments": "$(Build.SourcesDirectory) \"$(PB_Git)\"", + "workingFolder": "$(Build.SourcesDirectory)", + "inlineScript": "param($SrcDir, $git)\n$pkgExtPath= Join-Path \"$SrcDir\" \"security\"\ngci \"$pkgExtPath\\version.txt\" -Recurse | % { \n$sha = gc $_\nWrite-Host \"$sha\"\nif (-not [string]::IsNullOrWhiteSpace($sha))\n{\nStart-Process \"$git\" -ArgumentList \"checkout -- .\" -Wait -Verbose -ErrorAction Stop\nStart-Process \"$git\" -ArgumentList \"checkout $sha\" -Wait -Verbose -ErrorAction Stop\nWrite-Host \"Checked out at $sha\"\nbreak\n}\n}", + "failOnStandardError": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run CredScan", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "ea576cd4-c61f-48f8-97e7-a3cb07b90a6f", + "versionSpec": "2.*", + "definitionType": "task" + }, + "inputs": { + "outputFormat": "pre", + "toolVersion": "Latest", + "scanFolder": "$(Build.SourcesDirectory)", + "searchersFileType": "Default", + "searchersFile": "", + "suppressionsFile": "", + "suppressAsError": "false", + "batchSize": "" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run PoliCheck", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "d785890c-0d0d-46bd-8167-8fa9d49990c7", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "inputType": "Basic", + "cmdLineArgs": "/F:$(Build.SourcesDirectory) /T:9 /O:PoliCheck.xml", + "targetType": "F", + "targetArgument": "$(Build.SourcesDirectory)", + "importEx": "0", + "termTypeT": "0029a9", + "termTypeTCustom": "9", + "termTypeK": "", + "termTypeL": "", + "EXGT": "false", + "result": "PoliCheck.xml", + "optionsFC": "1", + "optionsXS": "1", + "optionsCTGLEN": "", + "optionsSEV": "", + "optionsPE": "", + "optionsHMENABLE": "", + "optionsHPATH": "", + "optionsHVER": "", + "optionsRulesDBPath": "", + "optionsRule": "", + "optionsXCLASS": "", + "optionsTASKNAME": "", + "optionsWORKINGDIRECTORY": "", + "optionsFTPATH": "", + "optionsD": "", + "optionsB1": "", + "optionsB2": "", + "optionsB3": "", + "optionsOCDB": "", + "toolVersion": "Latest" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Post Analysis", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "f5679091-e6da-4974-a8dc-0eec03a8ea63", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "APIScan": "true", + "BinScope": "false", + "BinSkim": "true", + "BinSkimBreakOn": "Error", + "CredScan": "true", + "FortifySCA": "false", + "FxCop": "false", + "FxCopBreakOn": "ErrorAbove", + "ModernCop": "false", + "ModernCopBreakOn": "Error", + "PoliCheck": "true", + "PoliCheckBreakOn": "Severity1", + "SDLNativeRules": "false" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Publish Security Analysis Logs", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "4096c760-3a8a-435d-9689-88c0311bbc0e", + "versionSpec": "2.*", + "definitionType": "task" + }, + "inputs": { + "ArtifactName": "CodeAnalysisLogs", + "ArtifactType": "Container", + "TargetPath": "\\\\my\\share\\$(Build.DefinitionName)\\$(Build.BuildNumber)", + "RvName": "", + "ProductComponentName": "", + "ProductVersionNumber": "", + "PlatformName": "", + "SDLToolName": "", + "SDLToolResultFile": "" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "TSA upload to Codebase: DotNet-Core-Setup-Trusted_$(CodeBase) Stamp: Azure", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "3da26988-bb64-4a23-8f06-45531d297dae", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "codebase": "NewOrUpdate", + "tsaStamp": "Azure", + "tsaWebApiUrl": "$(TSAStamp)", + "codeBaseName": "DotNet-Core-Setup-Trusted_$(CodeBase)", + "notificationAlias": "$(NotificationAlias)", + "codeBaseAdmins": "NORTHAMERICA\\raeda", + "instanceUrlAzure": "MSAZURE", + "instanceUrlDevDiv": "DEVDIV", + "projectNameMSAZURE": "One", + "projectNameIDENTITYDIVISION": "", + "projectNameDEVDIV": "DevDiv", + "areaPath": "One\\DevDiv\\DotNetCore", + "iterationPath": "One", + "uploadAPIScan": "true", + "uploadBinScope": "false", + "uploadBinSkim": "true", + "uploadCredScan": "true", + "uploadFortifySCA": "false", + "uploadFxCop": "false", + "uploadModernCop": "false", + "uploadPoliCheck": "true", + "uploadPREfast": "false", + "validateToolOutput": "Warning", + "validateCompatibility": "Error", + "uploadAsync": "true" + } + }, + { + "enabled": true, + "continueOnError": true, + "alwaysRun": false, + "displayName": "Run clean.cmd", + "timeoutInMinutes": 0, + "condition": "succeeded()", + "task": { + "id": "d9bafed4-0b18-4f58-968d-86655b4d2ce9", + "versionSpec": "1.*", + "definitionType": "task" + }, + "inputs": { + "filename": "clean.cmd", + "arguments": "-all", + "workingFolder": "$(Build.SourcesDirectory)", + "failOnStandardError": "false" + } + } + ], + "options": [ + { + "enabled": false, + "definition": { + "id": "5bc3cfb7-6b54-4a4b-b5d2-a3905949f8a6" + }, + "inputs": {} + }, + { + "enabled": false, + "definition": { + "id": "7c555368-ca64-4199-add6-9ebaf0b0137d" + }, + "inputs": { + "multipliers": "[]", + "parallel": "false", + "continueOnError": "true", + "additionalFields": "{}" + } + }, + { + "enabled": false, + "definition": { + "id": "a9db38f9-9fdc-478c-b0f9-464221e58316" + }, + "inputs": { + "workItemType": "234347", + "assignToRequestor": "true", + "additionalFields": "{}" + } + }, + { + "enabled": false, + "definition": { + "id": "57578776-4c22-4526-aeb0-86b6da17ee9c" + }, + "inputs": {} + }, + { + "enabled": false, + "definition": { + "id": "5d58cc01-7c75-450c-be18-a388ddb129ec" + }, + "inputs": { + "branchFilters": "[\"+refs/heads/*\"]", + "additionalFields": "{}" + } + } + ], + "variables": { + "system.debug": { + "value": "false" + } + }, + "demands": [ + "Agent.OS -equals windows_nt", + "msbuild" + ], + "retentionRules": [ + { + "branches": [ + "+refs/heads/*" + ], + "artifacts": [ + "build.SourceLabel" + ], + "artifactTypesToDelete": [], + "daysToKeep": 10, + "minimumToKeep": 1, + "deleteBuildRecord": true, + "deleteTestResults": true + } + ], + "_links": { + "self": { + "href": "" + }, + "web": { + "href": "" + }, + "editor": { + "href": "" + }, + "badge": { + "href": "" + } + }, + "buildNumberFormat": "$(date:yyyyMMdd)$(rev:-rr)", + "jobAuthorizationScope": 1, + "jobTimeoutInMinutes": 600, + "jobCancelTimeoutInMinutes": 5, + "badgeEnabled": true, + "repository": { + "properties": { + "cleanOptions": "3", + "labelSources": "0", + "labelSourcesFormat": "$(build.buildNumber)", + "reportBuildStatus": "true", + "gitLfsSupport": "false", + "skipSyncSource": "false", + "checkoutNestedSubmodules": "false", + "fetchDepth": "0" + }, + "id": "c19ea379-feb7-4ca5-8f7f-5f2b5095ea62", + "type": "TfsGit", + "name": "DotNet-Core-Setup-Trusted", + "url": "", + "defaultBranch": "refs/heads/sync", + "clean": "true", + "checkoutSubmodules": false + }, + "processParameters": {}, + "quality": "definition", + "authoredBy": { + "id": "9d5fdf9f-36b6-4d0c-a12e-2737a673af94", + "displayName": "Ravi Eda", + "uniqueName": "", + "url": "", + "imageUrl": "" + }, + "queue": { + "id": 36, + "name": "DotNet-Build", + "pool": { + "id": 39, + "name": "DotNet-Build" + } + }, + "id": 6661, + "name": "DotNet-Core-Setup-Security-Windows", + "url": "", + "uri": "vstfs:///Build/Definition/6661", + "path": "\\", + "type": 2, + "revision": 2, + "createdDate": "2017-06-21T21:58:12.397Z", + "project": { + "id": "0bdbc590-a062-4c3f-b0f6-9383f67865ee", + "name": "DevDiv", + "description": "Visual Studio and DevDiv team project for git source code repositories. Work items will be added for Adams, Dev14 work items are tracked in vstfdevdiv. ", + "url": "", + "state": "wellFormed", + "revision": 418097676, + "visibility": 0 + } +} diff --git a/src/installer/buildpipeline/security/dir.props b/src/installer/buildpipeline/security/dir.props new file mode 100644 index 0000000..9024fa7 --- /dev/null +++ b/src/installer/buildpipeline/security/dir.props @@ -0,0 +1,4 @@ + + + + \ No newline at end of file diff --git a/src/installer/buildpipeline/security/pipeline.json b/src/installer/buildpipeline/security/pipeline.json new file mode 100644 index 0000000..07a18fa --- /dev/null +++ b/src/installer/buildpipeline/security/pipeline.json @@ -0,0 +1,22 @@ +{ + "Repository": "corefx", + "Definitions": { + "Path": ".", + "Type": "VSTS", + "BaseUrl": "", + "SkipBranchAndVersionOverrides": "false" + }, + "Pipelines": [ + { + "Name": "Security Build for Windows", + "Parameters": { + "TreatWarningsAsErrors": "false" + }, + "Definitions": [ + { + "Name": "DotNet-Core-Setup-Security-Windows" + } + ] + } + ] +} diff --git a/src/installer/buildpipeline/security/syncAzure.proj b/src/installer/buildpipeline/security/syncAzure.proj new file mode 100644 index 0000000..7eaa6ed --- /dev/null +++ b/src/installer/buildpipeline/security/syncAzure.proj @@ -0,0 +1,20 @@ + + + + + + dotnet + $(PackagesDir)AzureTransfer + + + + + + + + + + + + + diff --git a/src/installer/buildpipeline/security/syncAzure.targets b/src/installer/buildpipeline/security/syncAzure.targets new file mode 100644 index 0000000..0bdd148 --- /dev/null +++ b/src/installer/buildpipeline/security/syncAzure.targets @@ -0,0 +1,29 @@ + + + + + + + $(PackagesDir)/AzureTransfer + + + + + + + + + <_CoreHostPackages Include="%(_BlobList.Identity)" Condition="'%(_BlobList.Extension)' == '.nupkg'" /> + + + + + \ No newline at end of file -- 2.7.4