From 088f45f6ca59023e36a555e0b4f6def63c3e0c08 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 15:58:18 -0700 Subject: [PATCH 01/11] Add policheck --- builds/azure-pipelines/template-steps-build-test.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index 050f244ef..49f93289d 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -91,6 +91,15 @@ steps: SYSTEM_ACCESSTOKEN: $(System.AccessToken) condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1 + displayName: 'Run PoliCheck' + inputs: + targetType: F + optionsFC: 0 + optionsXS: 0 + optionsHMENABLE: 0 + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 inputs: toolMajorVersion: V2 From b5dbd7803e336b06c9e014c456388eb28a714450 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 16:02:12 -0700 Subject: [PATCH 02/11] Upload policheck to TSA codebase --- builds/TSAConfig.gdntsa | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/builds/TSAConfig.gdntsa b/builds/TSAConfig.gdntsa index 56186440c..3923841d4 100644 --- a/builds/TSAConfig.gdntsa +++ b/builds/TSAConfig.gdntsa @@ -14,6 +14,7 @@ "tools": [ "BinSkim", "RoslynAnalyzers", - "CredScan" + "CredScan", + "Policheck" ] } \ No newline at end of file From 48bba2e70ab12fe362b2bd6b2559075ba2fa58f1 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 16:26:42 -0700 Subject: [PATCH 03/11] Try globbing files --- builds/azure-pipelines/template-steps-build-test.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index 49f93289d..2f223fec5 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -91,10 +91,12 @@ steps: SYSTEM_ACCESSTOKEN: $(System.AccessToken) condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) -- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@1 +- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 displayName: 'Run PoliCheck' inputs: targetType: F + result: PoliCheck.xml + targetArgument: '$(Build.SourcesDirectory)/**/*' optionsFC: 0 optionsXS: 0 optionsHMENABLE: 0 From 189a0e37d2a2c9cd25aad5badbc5ba82406cb248 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 16:37:09 -0700 Subject: [PATCH 04/11] Scan all --- builds/azure-pipelines/template-steps-build-test.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index 2f223fec5..62fce8688 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -96,10 +96,6 @@ steps: inputs: targetType: F result: PoliCheck.xml - targetArgument: '$(Build.SourcesDirectory)/**/*' - optionsFC: 0 - optionsXS: 0 - optionsHMENABLE: 0 condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 From 9d374d610cb1ecced75f6c888693ebd860255e7f Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 16:52:52 -0700 Subject: [PATCH 05/11] Only upload when var set --- builds/azure-pipelines/template-steps-build-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index 62fce8688..46357ef06 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -142,7 +142,7 @@ steps: inputs: GdnPublishTsaOnboard: true GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\builds\TSAConfig.gdntsa' - condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'), ne(variables['Build.Reason'], 'PullRequest')) + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT'), eq(variables['TSA_UPLOAD'], 'true')) # 5.0 isn't supported on Mac yet - task: UseDotNet@2 From 5658ff5503909afc87ade7e6376d872b94eeb903 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 17:32:30 -0700 Subject: [PATCH 06/11] post analysis --- builds/azure-pipelines/template-steps-build-test.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index 46357ef06..e62da34ef 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -260,3 +260,8 @@ steps: displayName: 'Component Detection' inputs: failOnAlert: true + +- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 + displayName: 'Post Analysis' + inputs: + GdnBreakPolicyMinSev: Error From 0b4b7f385b4d15b6f4943a874f33ac20d804f481 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 17:54:24 -0700 Subject: [PATCH 07/11] Only on windows --- builds/azure-pipelines/template-steps-build-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index e62da34ef..08ddbeb43 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -265,3 +265,4 @@ steps: displayName: 'Post Analysis' inputs: GdnBreakPolicyMinSev: Error + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) From d9d4834d484e12bef65615f51da4d58e8dd1ad72 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Wed, 31 Aug 2022 22:09:35 -0700 Subject: [PATCH 08/11] break on warn --- builds/azure-pipelines/template-steps-build-test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index 08ddbeb43..c590f7c2b 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -264,5 +264,6 @@ steps: - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 displayName: 'Post Analysis' inputs: - GdnBreakPolicyMinSev: Error + GdnBreakPolicyMinSev: Warning + continueOnError: true condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) From b12f5311a7bed8f1839742014491220c95a518e7 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Thu, 1 Sep 2022 10:05:50 -0700 Subject: [PATCH 09/11] testing --- .../template-steps-build-test.yml | 299 +++++++++--------- 1 file changed, 150 insertions(+), 149 deletions(-) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index c590f7c2b..ec26a9ac4 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -12,6 +12,14 @@ steps: inputs: useGlobalJson: true +# Run Policheck early to avoid scanning dependency folders +- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + displayName: 'Run PoliCheck' + inputs: + targetType: F + result: PoliCheck.xml + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) + - script: npm install -g azure-functions-core-tools displayName: 'Install Azure Functions Core Tools' @@ -45,63 +53,56 @@ steps: displayName: Start Server in Docker Container condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) -- task: DotNetCoreCLI@2 - displayName: '.NET Restore' - inputs: - command: restore - projects: '${{ parameters.solution }}' +# - task: DotNetCoreCLI@2 +# displayName: '.NET Restore' +# inputs: +# command: restore +# projects: '${{ parameters.solution }}' # Don't generate package so we can sign it before packaging -- task: DotNetCoreCLI@2 - displayName: '.NET Build' - inputs: - command: build - projects: '${{ parameters.solution }}' - arguments: '--configuration ${{ parameters.configuration }} -p:GeneratePackageOnBuild=false -p:Version=${{ parameters.binariesVersion }}' +# - task: DotNetCoreCLI@2 +# displayName: '.NET Build' +# inputs: +# command: build +# projects: '${{ parameters.solution }}' +# arguments: '--configuration ${{ parameters.configuration }} -p:GeneratePackageOnBuild=false -p:Version=${{ parameters.binariesVersion }}' -- script: | - npm install - npm run lint - workingDirectory: $(Build.SourcesDirectory)/samples/samples-js - displayName: Lint samples-js +# - script: | +# npm install +# npm run lint +# workingDirectory: $(Build.SourcesDirectory)/samples/samples-js +# displayName: Lint samples-js -- task: UsePythonVersion@0 - inputs: - versionSpec: '3.9' - addToPath: true - architecture: 'x64' +# - task: UsePythonVersion@0 +# inputs: +# versionSpec: '3.9' +# addToPath: true +# architecture: 'x64' -- script: | - pip3 install pylint_runner - pip3 install pylintfileheader - pylint_runner - workingDirectory: $(Build.SourcesDirectory)/samples/samples-python - displayName: Lint samples-python +# - script: | +# pip3 install pylint_runner +# pip3 install pylintfileheader +# pylint_runner +# workingDirectory: $(Build.SourcesDirectory)/samples/samples-python +# displayName: Lint samples-python -- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 - inputs: - InputType: 'CommandLine' - arguments: 'analyze $(Build.SourcesDirectory)\src\bin\${{ parameters.configuration }}\* --recurse --verbose' - condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +# - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 +# inputs: +# InputType: 'CommandLine' +# arguments: 'analyze $(Build.SourcesDirectory)\src\bin\${{ parameters.configuration }}\* --recurse --verbose' +# condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) -- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3 - inputs: - userProvideBuildInfo: 'autoMsBuildInfo' - env: - SYSTEM_ACCESSTOKEN: $(System.AccessToken) - condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +# - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3 +# inputs: +# userProvideBuildInfo: 'autoMsBuildInfo' +# env: +# SYSTEM_ACCESSTOKEN: $(System.AccessToken) +# condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) -- task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 - displayName: 'Run PoliCheck' - inputs: - targetType: F - result: PoliCheck.xml - condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 - inputs: - toolMajorVersion: V2 - condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +# - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 +# inputs: +# toolMajorVersion: V2 +# condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2 displayName: 'Create Security Analysis Report' @@ -151,110 +152,110 @@ steps: version: '2.1.x' condition: and(succeeded(), eq(variables['Agent.OS'], 'Darwin')) -- task: EsrpCodeSigning@1 - displayName: 'ESRP CodeSigning - Binaries' - inputs: - ConnectedServiceName: 'Code Signing' - FolderPath: '$(Build.SourcesDirectory)/src/bin/${{ parameters.configuration }}' - Pattern: 'Microsoft.Azure.WebJobs.Extensions.Sql.dll' - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "KeyCode" : "CP-235847-SN", - "operationSetCode" : "StrongNameSign", - "Parameters" : [], - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-235847-SN", - "operationSetCode" : "StrongNameVerify", - "Parameters" : [], - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Azure Functions SQL Extension" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "https://github.com/Azure/azure-functions-sql-extension" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: 600 - MaxConcurrency: 5 +# - task: EsrpCodeSigning@1 +# displayName: 'ESRP CodeSigning - Binaries' +# inputs: +# ConnectedServiceName: 'Code Signing' +# FolderPath: '$(Build.SourcesDirectory)/src/bin/${{ parameters.configuration }}' +# Pattern: 'Microsoft.Azure.WebJobs.Extensions.Sql.dll' +# signConfigType: inlineSignParams +# inlineOperation: | +# [ +# { +# "KeyCode" : "CP-235847-SN", +# "operationSetCode" : "StrongNameSign", +# "Parameters" : [], +# "ToolName" : "sign", +# "ToolVersion" : "1.0" +# }, +# { +# "KeyCode" : "CP-235847-SN", +# "operationSetCode" : "StrongNameVerify", +# "Parameters" : [], +# "ToolName" : "sign", +# "ToolVersion" : "1.0" +# }, +# { +# "keyCode": "CP-230012", +# "operationSetCode": "SigntoolSign", +# "parameters": [ +# { +# "parameterName": "OpusName", +# "parameterValue": "Azure Functions SQL Extension" +# }, +# { +# "parameterName": "OpusInfo", +# "parameterValue": "https://github.com/Azure/azure-functions-sql-extension" +# }, +# { +# "parameterName": "PageHash", +# "parameterValue": "/NPH" +# }, +# { +# "parameterName": "FileDigest", +# "parameterValue": "/fd sha256" +# }, +# { +# "parameterName": "TimeStamp", +# "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" +# } +# ], +# "toolName": "signtool.exe", +# "toolVersion": "6.2.9304.0" +# }, +# { +# "keyCode": "CP-230012", +# "operationSetCode": "SigntoolVerify", +# "parameters": [ +# { +# "parameterName": "VerifyAll", +# "parameterValue": "/all" +# } +# ], +# "toolName": "signtool.exe", +# "toolVersion": "6.2.9304.0" +# } +# ] +# SessionTimeout: 600 +# MaxConcurrency: 5 # Extra parameter GeneratePackageOnBuild=false is needed for issue https://github.com/dotnet/sdk/pull/3473#issuecomment-516612070 -- task: DotNetCoreCLI@2 - displayName: '.NET Pack Nuget' - inputs: - command: custom - custom: pack - projects: '${{ parameters.solution }}' - arguments: '--configuration ${{ parameters.configuration }} --output $(Build.ArtifactStagingDirectory) --no-build -p:PackageVersion="${{ parameters.nugetVersion }}" -p:GeneratePackageOnBuild=false' +# - task: DotNetCoreCLI@2 +# displayName: '.NET Pack Nuget' +# inputs: +# command: custom +# custom: pack +# projects: '${{ parameters.solution }}' +# arguments: '--configuration ${{ parameters.configuration }} --output $(Build.ArtifactStagingDirectory) --no-build -p:PackageVersion="${{ parameters.nugetVersion }}" -p:GeneratePackageOnBuild=false' -- task: DotNetCoreCLI@2 - displayName: '.NET Test' - env: - TEST_SERVER: '$(testServer)' - NODE_MODULES_PATH: '$(nodeModulesPath)' - AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' - inputs: - command: test - projects: '${{ parameters.solution }}' - arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' - condition: and(succeeded(), ne(variables['Agent.OS'], 'linux')) +# - task: DotNetCoreCLI@2 +# displayName: '.NET Test' +# env: +# TEST_SERVER: '$(testServer)' +# NODE_MODULES_PATH: '$(nodeModulesPath)' +# AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' +# inputs: +# command: test +# projects: '${{ parameters.solution }}' +# arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' +# condition: and(succeeded(), ne(variables['Agent.OS'], 'linux')) -- task: DotNetCoreCLI@2 - displayName: '.NET Test on Linux' - env: - SA_PASSWORD: '$(serverPassword)' - AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' - inputs: - command: test - projects: '${{ parameters.solution }}' - arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' - condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) +# - task: DotNetCoreCLI@2 +# displayName: '.NET Test on Linux' +# env: +# SA_PASSWORD: '$(serverPassword)' +# AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' +# inputs: +# command: test +# projects: '${{ parameters.solution }}' +# arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' +# condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) -- script: | - docker stop sql1 - docker rm sql1 - displayName: 'Stop and Remove SQL Server Image' - condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) +# - script: | +# docker stop sql1 +# docker rm sql1 +# displayName: 'Stop and Remove SQL Server Image' +# condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: 'Component Detection' @@ -264,6 +265,6 @@ steps: - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 displayName: 'Post Analysis' inputs: - GdnBreakPolicyMinSev: Warning + GdnBreakPolicyMinSev: Error continueOnError: true condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) From 129d8ef7f1cd9db3d35c01f80450c4c26f02d303 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Thu, 1 Sep 2022 10:54:56 -0700 Subject: [PATCH 10/11] re-enable and break on error --- .../template-steps-build-test.yml | 283 +++++++++--------- 1 file changed, 141 insertions(+), 142 deletions(-) diff --git a/builds/azure-pipelines/template-steps-build-test.yml b/builds/azure-pipelines/template-steps-build-test.yml index ec26a9ac4..dfc9f6778 100644 --- a/builds/azure-pipelines/template-steps-build-test.yml +++ b/builds/azure-pipelines/template-steps-build-test.yml @@ -53,56 +53,56 @@ steps: displayName: Start Server in Docker Container condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) -# - task: DotNetCoreCLI@2 -# displayName: '.NET Restore' -# inputs: -# command: restore -# projects: '${{ parameters.solution }}' +- task: DotNetCoreCLI@2 + displayName: '.NET Restore' + inputs: + command: restore + projects: '${{ parameters.solution }}' # Don't generate package so we can sign it before packaging -# - task: DotNetCoreCLI@2 -# displayName: '.NET Build' -# inputs: -# command: build -# projects: '${{ parameters.solution }}' -# arguments: '--configuration ${{ parameters.configuration }} -p:GeneratePackageOnBuild=false -p:Version=${{ parameters.binariesVersion }}' +- task: DotNetCoreCLI@2 + displayName: '.NET Build' + inputs: + command: build + projects: '${{ parameters.solution }}' + arguments: '--configuration ${{ parameters.configuration }} -p:GeneratePackageOnBuild=false -p:Version=${{ parameters.binariesVersion }}' -# - script: | -# npm install -# npm run lint -# workingDirectory: $(Build.SourcesDirectory)/samples/samples-js -# displayName: Lint samples-js +- script: | + npm install + npm run lint + workingDirectory: $(Build.SourcesDirectory)/samples/samples-js + displayName: Lint samples-js -# - task: UsePythonVersion@0 -# inputs: -# versionSpec: '3.9' -# addToPath: true -# architecture: 'x64' +- task: UsePythonVersion@0 + inputs: + versionSpec: '3.9' + addToPath: true + architecture: 'x64' -# - script: | -# pip3 install pylint_runner -# pip3 install pylintfileheader -# pylint_runner -# workingDirectory: $(Build.SourcesDirectory)/samples/samples-python -# displayName: Lint samples-python +- script: | + pip3 install pylint_runner + pip3 install pylintfileheader + pylint_runner + workingDirectory: $(Build.SourcesDirectory)/samples/samples-python + displayName: Lint samples-python -# - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 -# inputs: -# InputType: 'CommandLine' -# arguments: 'analyze $(Build.SourcesDirectory)\src\bin\${{ parameters.configuration }}\* --recurse --verbose' -# condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 + inputs: + InputType: 'CommandLine' + arguments: 'analyze $(Build.SourcesDirectory)\src\bin\${{ parameters.configuration }}\* --recurse --verbose' + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) -# - task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3 -# inputs: -# userProvideBuildInfo: 'autoMsBuildInfo' -# env: -# SYSTEM_ACCESSTOKEN: $(System.AccessToken) -# condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +- task: securedevelopmentteam.vss-secure-development-tools.build-task-roslynanalyzers.RoslynAnalyzers@3 + inputs: + userProvideBuildInfo: 'autoMsBuildInfo' + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) -# - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 -# inputs: -# toolMajorVersion: V2 -# condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) +- task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@2 + inputs: + toolMajorVersion: V2 + condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@2 displayName: 'Create Security Analysis Report' @@ -152,110 +152,110 @@ steps: version: '2.1.x' condition: and(succeeded(), eq(variables['Agent.OS'], 'Darwin')) -# - task: EsrpCodeSigning@1 -# displayName: 'ESRP CodeSigning - Binaries' -# inputs: -# ConnectedServiceName: 'Code Signing' -# FolderPath: '$(Build.SourcesDirectory)/src/bin/${{ parameters.configuration }}' -# Pattern: 'Microsoft.Azure.WebJobs.Extensions.Sql.dll' -# signConfigType: inlineSignParams -# inlineOperation: | -# [ -# { -# "KeyCode" : "CP-235847-SN", -# "operationSetCode" : "StrongNameSign", -# "Parameters" : [], -# "ToolName" : "sign", -# "ToolVersion" : "1.0" -# }, -# { -# "KeyCode" : "CP-235847-SN", -# "operationSetCode" : "StrongNameVerify", -# "Parameters" : [], -# "ToolName" : "sign", -# "ToolVersion" : "1.0" -# }, -# { -# "keyCode": "CP-230012", -# "operationSetCode": "SigntoolSign", -# "parameters": [ -# { -# "parameterName": "OpusName", -# "parameterValue": "Azure Functions SQL Extension" -# }, -# { -# "parameterName": "OpusInfo", -# "parameterValue": "https://github.com/Azure/azure-functions-sql-extension" -# }, -# { -# "parameterName": "PageHash", -# "parameterValue": "/NPH" -# }, -# { -# "parameterName": "FileDigest", -# "parameterValue": "/fd sha256" -# }, -# { -# "parameterName": "TimeStamp", -# "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" -# } -# ], -# "toolName": "signtool.exe", -# "toolVersion": "6.2.9304.0" -# }, -# { -# "keyCode": "CP-230012", -# "operationSetCode": "SigntoolVerify", -# "parameters": [ -# { -# "parameterName": "VerifyAll", -# "parameterValue": "/all" -# } -# ], -# "toolName": "signtool.exe", -# "toolVersion": "6.2.9304.0" -# } -# ] -# SessionTimeout: 600 -# MaxConcurrency: 5 +- task: EsrpCodeSigning@1 + displayName: 'ESRP CodeSigning - Binaries' + inputs: + ConnectedServiceName: 'Code Signing' + FolderPath: '$(Build.SourcesDirectory)/src/bin/${{ parameters.configuration }}' + Pattern: 'Microsoft.Azure.WebJobs.Extensions.Sql.dll' + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "KeyCode" : "CP-235847-SN", + "operationSetCode" : "StrongNameSign", + "Parameters" : [], + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-235847-SN", + "operationSetCode" : "StrongNameVerify", + "Parameters" : [], + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Azure Functions SQL Extension" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "https://github.com/Azure/azure-functions-sql-extension" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ + { + "parameterName": "VerifyAll", + "parameterValue": "/all" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] + SessionTimeout: 600 + MaxConcurrency: 5 # Extra parameter GeneratePackageOnBuild=false is needed for issue https://github.com/dotnet/sdk/pull/3473#issuecomment-516612070 -# - task: DotNetCoreCLI@2 -# displayName: '.NET Pack Nuget' -# inputs: -# command: custom -# custom: pack -# projects: '${{ parameters.solution }}' -# arguments: '--configuration ${{ parameters.configuration }} --output $(Build.ArtifactStagingDirectory) --no-build -p:PackageVersion="${{ parameters.nugetVersion }}" -p:GeneratePackageOnBuild=false' +- task: DotNetCoreCLI@2 + displayName: '.NET Pack Nuget' + inputs: + command: custom + custom: pack + projects: '${{ parameters.solution }}' + arguments: '--configuration ${{ parameters.configuration }} --output $(Build.ArtifactStagingDirectory) --no-build -p:PackageVersion="${{ parameters.nugetVersion }}" -p:GeneratePackageOnBuild=false' -# - task: DotNetCoreCLI@2 -# displayName: '.NET Test' -# env: -# TEST_SERVER: '$(testServer)' -# NODE_MODULES_PATH: '$(nodeModulesPath)' -# AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' -# inputs: -# command: test -# projects: '${{ parameters.solution }}' -# arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' -# condition: and(succeeded(), ne(variables['Agent.OS'], 'linux')) +- task: DotNetCoreCLI@2 + displayName: '.NET Test' + env: + TEST_SERVER: '$(testServer)' + NODE_MODULES_PATH: '$(nodeModulesPath)' + AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' + inputs: + command: test + projects: '${{ parameters.solution }}' + arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' + condition: and(succeeded(), ne(variables['Agent.OS'], 'linux')) -# - task: DotNetCoreCLI@2 -# displayName: '.NET Test on Linux' -# env: -# SA_PASSWORD: '$(serverPassword)' -# AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' -# inputs: -# command: test -# projects: '${{ parameters.solution }}' -# arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' -# condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) +- task: DotNetCoreCLI@2 + displayName: '.NET Test on Linux' + env: + SA_PASSWORD: '$(serverPassword)' + AZUREFUNCTIONS_SQLBINDINGS_TELEMETRY_OPTOUT: '1' + inputs: + command: test + projects: '${{ parameters.solution }}' + arguments: '--configuration ${{ parameters.configuration }} ${{ parameters.testFilter }} --collect "Code Coverage" -s $(Build.SourcesDirectory)/test/coverage.runsettings' + condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) -# - script: | -# docker stop sql1 -# docker rm sql1 -# displayName: 'Stop and Remove SQL Server Image' -# condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) +- script: | + docker stop sql1 + docker rm sql1 + displayName: 'Stop and Remove SQL Server Image' + condition: and(succeeded(), eq(variables['Agent.OS'], 'linux')) - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: 'Component Detection' @@ -266,5 +266,4 @@ steps: displayName: 'Post Analysis' inputs: GdnBreakPolicyMinSev: Error - continueOnError: true condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) From 7788c6ebbb3a13d403dcd03dd3c18f5886476b28 Mon Sep 17 00:00:00 2001 From: Charles Gagnon Date: Thu, 1 Sep 2022 11:00:15 -0700 Subject: [PATCH 11/11] Update notification alias --- builds/TSAConfig.gdntsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builds/TSAConfig.gdntsa b/builds/TSAConfig.gdntsa index 3923841d4..11b8aeb1b 100644 --- a/builds/TSAConfig.gdntsa +++ b/builds/TSAConfig.gdntsa @@ -1,7 +1,7 @@ { "codebaseName": "Sql Bindings", "notificationAliases": [ - "sqltools@service.microsoft.com" + "sqlbindings@microsoft.com" ], "codebaseAdmins": [ "REDMOND\\chlafren",