diff --git a/scripts/azure-pipelines-complete-internal.yml b/scripts/azure-pipelines-complete-internal.yml index af2d7e5068..394a5de69d 100644 --- a/scripts/azure-pipelines-complete-internal.yml +++ b/scripts/azure-pipelines-complete-internal.yml @@ -39,8 +39,12 @@ parameters: name: Azure Pipelines vmImage: ubuntu-20.04 os: linux + - name: enableSigning + displayName: 'Enable package signing (Test signing)' + type: boolean + default: false - name: runCompliance - displayName: 'Run post-build compliance tasks (such as API Scan)' + displayName: 'Run post-build compliance tasks (such as API Scan and PoliCheck)' type: boolean default: false - name: use1ESPipelineTemplates @@ -77,7 +81,27 @@ extends: parameters: buildPipelineType: 'both' buildExternals: ${{ parameters.buildExternals }} - runCompliance: ${{ parameters.runCompliance }} + enableSigning: ${{ parameters.enableSigning }} + ${{ if eq(parameters.runCompliance, 'true') }}: + sdl: + apiscan: + enabled: true + binskim: + break: false + codeInspector: + enabled: true + credscan: + suppressionsFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json + policheck: + enabled: true + exclusionsFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml + spotBugs: + enabled: false + suppression: + suppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress + tsa: + enabled: true + configFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json use1ESPipelineTemplates: ${{ parameters.use1ESPipelineTemplates }} buildAgentHost: ${{ parameters.buildAgentHost }} buildAgentWindows: ${{ parameters.buildAgentWindows }} diff --git a/scripts/azure-pipelines.yml b/scripts/azure-pipelines.yml index c62f4cb874..30e6bcb5e8 100644 --- a/scripts/azure-pipelines.yml +++ b/scripts/azure-pipelines.yml @@ -46,7 +46,7 @@ parameters: image: 1ESPT-Ubuntu20.04 os: linux - name: runCompliance - displayName: 'Run post-build compliance tasks (such as API Scan)' + displayName: 'Run post-build compliance tasks (such as API Scan and PoliCheck)' type: boolean default: false @@ -76,7 +76,30 @@ extends: parameters: buildPipelineType: 'build' buildExternals: ${{ parameters.buildExternals }} - runCompliance: ${{ parameters.runCompliance }} + ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(variables['System.PullRequest.IsFork'], 'true')) }}: + enableSigning: true + ${{ if or(parameters.runCompliance, and(eq(variables['Build.Reason'], 'Schedule'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')))) }}: + sdl: + apiscan: + enabled: true + binskim: + enabled: true + break: false + codeInspector: + enabled: true + credscan: + enabled: true + # suppressionsFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json + policheck: + enabled: true + exclusionsFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml + spotBugs: + enabled: false + suppression: + suppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress + tsa: + enabled: true + configFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json use1ESPipelineTemplates: true buildAgentHost: ${{ parameters.buildAgentHost }} buildAgentWindows: ${{ parameters.buildAgentWindows }} diff --git a/scripts/azure-templates-bootstrapper.yml b/scripts/azure-templates-bootstrapper.yml index f476be899c..4e9736538e 100644 --- a/scripts/azure-templates-bootstrapper.yml +++ b/scripts/azure-templates-bootstrapper.yml @@ -35,6 +35,7 @@ parameters: skipInstall: false # whether or not to install any tools skipSteps: false # whether or not to run any steps use1ESPipelineTemplates: false # whether or not we are building using the internal 1ES Pipeline Templates + sdl: [] # the SDL properties to use for this job jobs: - job: ${{ parameters.name }} @@ -49,11 +50,7 @@ jobs: ${{ if ne(length(parameters.variables), 0) }}: ${{ parameters.variables }} templateContext: - sdl: - spotBugs: - enabled: false - binskim: - break: false + sdl: ${{ parameters.sdl }} outputParentDirectory: 'output' outputs: - ${{ if eq(parameters.shouldPublish, 'true') }}: diff --git a/scripts/azure-templates-linux-matrix.yml b/scripts/azure-templates-linux-matrix.yml index 980d3e4be5..26681ce2d0 100644 --- a/scripts/azure-templates-linux-matrix.yml +++ b/scripts/azure-templates-linux-matrix.yml @@ -3,6 +3,7 @@ parameters: buildPipelineType: 'both' # the type of build pipeline setup buildAgent: '' # the configuration for the build agent use1ESPipelineTemplates: false # whether or not we are building using the internal 1ES Pipeline Templates + sdl: [] # the SDL properties to use for this job builds: - name: '' desc: '' @@ -24,6 +25,7 @@ jobs: parameters: name: ${{ replace(replace(format('native_linux_{0}_{1}_{2}_{3}_linux', item.arch, item.variant, build.name, item.alt), '__', '_'), '__', '_') }} displayName: Linux ${{ replace(replace(replace(replace(replace(format('({0}|{1}|{2}|{3})', item.arch, item.variant, build.name, item.alt), '||', '|'), '||', '|'), '(|', '('), '|)', ')'), '|', ', ') }} + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgent }} diff --git a/scripts/azure-templates-merger.yml b/scripts/azure-templates-merger.yml index 0e2858571d..23b9eb65c2 100644 --- a/scripts/azure-templates-merger.yml +++ b/scripts/azure-templates-merger.yml @@ -5,12 +5,14 @@ parameters: buildPipelineType: 'both' # the type of build pipeline setup requiredArtifacts: [] # the artifacts that this build needs to download matrixArtifacts: [] # the artifacts that this build needs to download + sdl: [] # the SDL properties to use for this job jobs: - template: /scripts/azure-templates-bootstrapper.yml@self parameters: name: ${{ parameters.name }} displayName: ${{ parameters.displayName }} + sdl: ${{ parameters.sdl }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgent }} skipInstall: true diff --git a/scripts/azure-templates-stages.yml b/scripts/azure-templates-stages.yml index da6fcea289..92863de974 100644 --- a/scripts/azure-templates-stages.yml +++ b/scripts/azure-templates-stages.yml @@ -19,10 +19,19 @@ parameters: type: object - name: buildAgentLinuxNative type: object - - name: runCompliance + - name: sdl + type: object + default: + apiscan: + enabled: false + binskim: + break: false + spotBugs: + enabled: false + - name: use1ESPipelineTemplates type: boolean default: false - - name: use1ESPipelineTemplates + - name: enableSigning type: boolean default: false @@ -56,6 +65,7 @@ stages: parameters: name: native_android_x86_windows displayName: Android x86 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -65,6 +75,7 @@ stages: parameters: name: native_android_x64_windows displayName: Android x64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -74,6 +85,7 @@ stages: parameters: name: native_android_arm_windows displayName: Android arm + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -83,6 +95,7 @@ stages: parameters: name: native_android_arm64_windows displayName: Android arm64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -92,6 +105,7 @@ stages: parameters: name: native_tizen_windows displayName: Tizen + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -100,6 +114,7 @@ stages: parameters: name: native_win32_x86_windows displayName: Win32 x86 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -109,6 +124,7 @@ stages: parameters: name: native_win32_x64_windows displayName: Win32 x64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -118,6 +134,7 @@ stages: parameters: name: native_win32_arm64_windows displayName: Win32 arm64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -127,6 +144,7 @@ stages: parameters: name: native_win32_x86_msvc_windows displayName: Win32 x86 [MSVC] + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -137,6 +155,7 @@ stages: parameters: name: native_win32_x64_msvc_windows displayName: Win32 x64 [MSVC] + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -147,6 +166,7 @@ stages: parameters: name: native_win32_arm64_msvc_windows displayName: Win32 arm64 [MSVC] + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -157,6 +177,7 @@ stages: parameters: name: native_winui_x86_windows displayName: WinUI x86 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -166,6 +187,7 @@ stages: parameters: name: native_winui_x64_windows displayName: WinUI x64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -175,6 +197,7 @@ stages: parameters: name: native_winui_arm64_windows displayName: WinUI arm64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -184,6 +207,7 @@ stages: parameters: name: native_win32_x64_nanoserver_windows displayName: Nano Server x64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindowsNative }} @@ -199,6 +223,7 @@ stages: parameters: name: native_android_x86_macos displayName: Android x86 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -208,6 +233,7 @@ stages: parameters: name: native_android_x64_macos displayName: Android x64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -217,6 +243,7 @@ stages: parameters: name: native_android_arm_macos displayName: Android arm + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -226,6 +253,7 @@ stages: parameters: name: native_android_arm64_macos displayName: Android arm64 + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -235,6 +263,7 @@ stages: parameters: name: native_ios_macos displayName: iOS + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -243,6 +272,7 @@ stages: parameters: name: native_maccatalyst_macos displayName: Mac Catalyst + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -251,6 +281,7 @@ stages: parameters: name: native_macos_macos displayName: macOS + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -259,6 +290,7 @@ stages: parameters: name: native_tvos_macos displayName: tvOS + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -267,6 +299,7 @@ stages: parameters: name: native_tizen_macos displayName: Tizen + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentMacNative }} @@ -279,6 +312,7 @@ stages: jobs: - template: /scripts/azure-templates-linux-matrix.yml@self # Build Native Linux (Linux) parameters: + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentLinuxNative }} @@ -319,6 +353,7 @@ stages: jobs: - template: /scripts/azure-templates-wasm-matrix.yml@self # Build Native WASM (Linux) parameters: + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentLinuxNative }} @@ -391,6 +426,7 @@ stages: parameters: name: native displayName: Merge Native Artifacts + sdl: ${{ parameters.sdl }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentHost }} requiredArtifacts: @@ -428,6 +464,7 @@ stages: parameters: name: native_wasm displayName: Merge Native WASM Artifacts + sdl: ${{ parameters.sdl }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentHost }} matrixArtifacts: @@ -437,6 +474,7 @@ stages: parameters: name: native_msvc displayName: Merge Native MSVC Artifacts + sdl: ${{ parameters.sdl }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentHost }} requiredArtifacts: @@ -502,6 +540,7 @@ stages: parameters: name: package_normal_windows displayName: Package NuGets + sdl: ${{ parameters.sdl }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindows}} target: nuget-normal @@ -531,6 +570,7 @@ stages: parameters: name: package_special_windows displayName: Package Special NuGets + sdl: ${{ parameters.sdl }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgentWindows}} dependsOn: package_normal_windows @@ -586,7 +626,7 @@ stages: always: true path: '$(Build.SourcesDirectory)\changelogs' - - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(parameters.buildPipelineType, 'tests'), ne(variables['System.PullRequest.IsFork'], 'true')) }}: + - ${{ if eq(parameters.enableSigning, 'true') }}: - stage: signing displayName: Sign NuGets dependsOn: package @@ -909,33 +949,22 @@ stages: installEmsdk: true initScript: source ~/emsdk/emsdk_env.sh - - ${{ if and(eq(variables['System.TeamProject'], 'devdiv'), ne(parameters.buildPipelineType, 'tests'), ne(variables['System.PullRequest.IsFork'], 'true'), or(and(eq(variables['Build.Reason'], 'Schedule'), or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'))), parameters.runCompliance)) }}: - - template: security/full/v1.yml@xamarin-templates + - ${{ if eq(parameters.sdl.apiscan.enabled, 'true') }}: + - template: security/apiscan/v0.yml@xamarin-templates parameters: - stageDependsOn: - - package - complianceEnabled: true - complianceTimeoutInMinutes: 480 windowsPoolName: ${{ parameters.buildAgentHost.pool.name }} windowsImageOverride: ${{ parameters.buildAgentHost.pool.image }} + timeoutInMinutes: 480 + stageDependsOn: + - package scanArtifacts: - nuget - nuget_symbols - native_msvc - antiMalwareEnabled: true - binSkimEnabled: false - policheckExclusionFile: $(Build.SourcesDirectory)\scripts\guardian\PoliCheckExclusions.xml - policheckGdnSuppressionFilesFolder: $(Build.SourcesDirectory)\scripts\guardian - credScanEnabled: true - credScanSuppressionFile: $(Build.SourcesDirectory)\scripts\guardian\CredScanSuppressions.json - sourceGdnSuppressionFile: $(Build.SourcesDirectory)\scripts\guardian\source.gdnsuppress - tsaConfigFile: $(Build.SourcesDirectory)\scripts\guardian\tsaoptions-v2.json - tsaReportBranch: $(Build.SourceBranch) - enableCodeInspector: true - apiScanEnabled: true apiScanSoftwareName: 'SkiaSharp' apiScanSoftwareVersionNum: $(SKIASHARP_MAJOR_VERSION) apiScanPreserveLogsFolder: true + apiScanAuthConnectionString: 'runAs=App;AppId=$(ApiScanClientId)' apiScanSurrogateConfigurationFolder: $(Build.ArtifactStagingDirectory)\APIScanSurrogates preScanSteps: - pwsh: | diff --git a/scripts/azure-templates-wasm-matrix.yml b/scripts/azure-templates-wasm-matrix.yml index bbceb72be2..9a383a54b5 100644 --- a/scripts/azure-templates-wasm-matrix.yml +++ b/scripts/azure-templates-wasm-matrix.yml @@ -3,6 +3,7 @@ parameters: buildPipelineType: 'both' # the type of build pipeline setup buildAgent: '' # the configuration for the build agent use1ESPipelineTemplates: false # whether or not we are building using the internal 1ES Pipeline Templates + sdl: [] # the SDL properties to use for this job emscripten: [ ] jobs: @@ -11,6 +12,7 @@ jobs: parameters: name: native_wasm_${{ replace(version.displayName, '.', '_') }}_linux displayName: WASM (${{ version.displayName }}) + sdl: ${{ parameters.sdl }} buildExternals: ${{ parameters.buildExternals }} buildPipelineType: ${{ parameters.buildPipelineType }} buildAgent: ${{ parameters.buildAgent }} diff --git a/scripts/install-python.ps1 b/scripts/install-python.ps1 index 029a0869c7..6002b96e5e 100644 --- a/scripts/install-python.ps1 +++ b/scripts/install-python.ps1 @@ -31,12 +31,9 @@ if ($IsMacOS) { } else { $platform = "win32" } - -$downloadUrl = (($pythonManifest - | Where-Object { $_.version -eq $Version } - | Select-Object -First 1).files - | Where-Object { $_.platform -eq $platform -and $_.arch -eq $Arch } - | Select-Object -First 1).download_url +$manifestFileVersion = $pythonManifest | Where-Object { $_.version -eq $Version } | Select-Object -First 1 +$manifestFileItem = $manifestFileVersion.files | Where-Object { $_.platform -eq $platform -and $_.arch -eq $Arch } | Select-Object -First 1 +$downloadUrl = $manifestFileItem.download_url # download $tempDir = Join-Path "$HOME_DIR" "python-temp"