From 829439f029b42c12c1443a5a60bf6387fcf8b636 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 1 Oct 2021 21:23:45 +0000 Subject: [PATCH 1/9] Add Sbom --- Sbom.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 Sbom.yml diff --git a/Sbom.yml b/Sbom.yml new file mode 100644 index 0000000..741c432 --- /dev/null +++ b/Sbom.yml @@ -0,0 +1,21 @@ +parameters: + - name: "BuildDropPath" + default: '$(System.ArtifactsDirectory)' + +steps: +- task: UseDotNet@2 + displayName: 'Install .NET Core sdk 3.1 for SBom Generator' + inputs: + version: 3.1 + +- task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 + displayName: 'Generate SBOM' + inputs: + BuildDropPath: ${{ parameters.BuildDropPath }} + # *** Leaving these as documentation of the rest of the inputs *** + # These should be implemented as needed with backwards compatibility for user that didn't supply the parameters + # + # this is the folder to put the BOM, defaults to _manifest + # ManifestDirPath: '_manifest' + # configuration json for the tool + # ConfigFilePath: config.json From 440acd72b51b28c355916c6b7d0377a68b39db86 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 1 Oct 2021 21:49:49 +0000 Subject: [PATCH 2/9] fix version format --- Sbom.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sbom.yml b/Sbom.yml index 741c432..e77e0be 100644 --- a/Sbom.yml +++ b/Sbom.yml @@ -6,7 +6,7 @@ steps: - task: UseDotNet@2 displayName: 'Install .NET Core sdk 3.1 for SBom Generator' inputs: - version: 3.1 + version: 3.x - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: 'Generate SBOM' From a93f569b6b40f6b6808e1813924c9520fabeaec3 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Sat, 2 Oct 2021 20:11:21 +0000 Subject: [PATCH 3/9] Add support for setting the repo URI --- Sbom.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Sbom.yml b/Sbom.yml index e77e0be..51f26ae 100644 --- a/Sbom.yml +++ b/Sbom.yml @@ -1,6 +1,8 @@ parameters: - name: "BuildDropPath" default: '$(System.ArtifactsDirectory)' + # Use the public repo URL, such as `https://github.com/powershell/powershell` + - name: Build_Repository_Uri steps: - task: UseDotNet@2 @@ -19,3 +21,5 @@ steps: # ManifestDirPath: '_manifest' # configuration json for the tool # ConfigFilePath: config.json + env: + Build_Repository_Uri: ${{ parameters.Build_Repository_Uri }} From de301f36d8a8922dbcc39b1bebce1f02602acf4f Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Sat, 2 Oct 2021 22:49:36 +0000 Subject: [PATCH 4/9] update variable name and capture --- Sbom.yml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/Sbom.yml b/Sbom.yml index 51f26ae..f279246 100644 --- a/Sbom.yml +++ b/Sbom.yml @@ -3,15 +3,24 @@ parameters: default: '$(System.ArtifactsDirectory)' # Use the public repo URL, such as `https://github.com/powershell/powershell` - name: Build_Repository_Uri + - name: "displayName" + default: "SBOM" + steps: - task: UseDotNet@2 - displayName: 'Install .NET Core sdk 3.1 for SBom Generator' + displayName: '${{ parameters.displayName }} - Install .NET Core sdk 3.x' inputs: version: 3.x +- pwsh: | + Get-ChildItem env: + displayName: '${{ parameters.displayName }} - Capture Environment' + env: + Build.Repository.Uri: ${{ parameters.Build_Repository_Uri }} + - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 - displayName: 'Generate SBOM' + displayName: '${{ parameters.displayName }} - Generate' inputs: BuildDropPath: ${{ parameters.BuildDropPath }} # *** Leaving these as documentation of the rest of the inputs *** @@ -22,4 +31,4 @@ steps: # configuration json for the tool # ConfigFilePath: config.json env: - Build_Repository_Uri: ${{ parameters.Build_Repository_Uri }} + Build.Repository.Uri: ${{ parameters.Build_Repository_Uri }} From 0af047f99db3f51436239284329fb422a07ab585 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Sun, 3 Oct 2021 20:26:59 +0000 Subject: [PATCH 5/9] Manually fix manifest repo url --- Sbom.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/Sbom.yml b/Sbom.yml index f279246..4e5bf47 100644 --- a/Sbom.yml +++ b/Sbom.yml @@ -32,3 +32,16 @@ steps: # ConfigFilePath: config.json env: Build.Repository.Uri: ${{ parameters.Build_Repository_Uri }} + +# This will break signing, but it is currently not enabled. +- pwsh: | + $manifestPath = Join-Path '${{ parameters.BuildDropPath }}' -ChildPath '_manifest\manifest.json' + Write-Verbose "manifestPath: $manifestPath" -verbose + $manifest = Get-Content $manifestPath | ConvertFrom-Json + Write-Verbose "oldRepo: $($manifest.Repo)" -verbose + $manifest.Repo = '${{ parameters.Build_Repository_Uri}}' + Write-Verbose "newRepo: $($manifest.Repo)" -verbose + $manifest | convertto-json -Compress | Out-File -FilePath $manifestPath -Force + $newManifest = Get-Content $manifestPath + Write-Verbose "newManifest: $manifestPath" -verbose + displayName: '${{ parameters.displayName }} - Fix repo' From 611ff5181f7c74e3117b62a2cba59d5ae95b0856 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Sun, 3 Oct 2021 21:11:08 +0000 Subject: [PATCH 6/9] remove broken logging --- Sbom.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/Sbom.yml b/Sbom.yml index 4e5bf47..e8aff50 100644 --- a/Sbom.yml +++ b/Sbom.yml @@ -42,6 +42,4 @@ steps: $manifest.Repo = '${{ parameters.Build_Repository_Uri}}' Write-Verbose "newRepo: $($manifest.Repo)" -verbose $manifest | convertto-json -Compress | Out-File -FilePath $manifestPath -Force - $newManifest = Get-Content $manifestPath - Write-Verbose "newManifest: $manifestPath" -verbose displayName: '${{ parameters.displayName }} - Fix repo' From 8a43da77a294ea27a11fcd6b960c94f8b7636de6 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 6 Oct 2021 17:44:30 +0000 Subject: [PATCH 7/9] Add toc and example to readme --- README.md | 75 ++++++++++++++++++++++++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 20 deletions(-) diff --git a/README.md b/README.md index 7bd046e..52709e7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Compliance task library +# Compliance task library **Contents of this repository are intended for use in internal Microsoft Pipelines. This repository is public so the community can inspect our process and for sharing among teams.** @@ -6,6 +6,26 @@ This repository is public so the community can inspect our process and for shari This repository contains Azure DevOPS YAML template for the compliance tasks needed for release products. The step templates can be included in the repository using [multi-checkout](https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/multi-repo-checkout?view=azure-devops). +## Table of Contents + + +- [Template setup](#template-setup) +- [Daily build Compliance template](#daily-build-compliance-template) +- [Task templates](#task-templates) + - [Credential Scanner](#credential-scanner) + - [TermCheck AKA PoliCheck](#termcheck-aka-policheck) + - [ESRP Signing Template Overview](#esrp-signing-template-overview) + - [ESRP Authenticode minimatch example](#esrp-authenticode-minimatch-example) + - [ESRP Authenticode preview certificate](#esrp-authenticode-preview-certificate) + - [ESRP RPM example](#esrp-rpm-example) + - [ESRP NuPkg example](#esrp-nupkg-example) + - [ESRP macOS example](#esrp-macos-example) + - [ESRP custom signing JSON example](#esrp-custom-signing-json-example) + - [ESRP Custom Signing Service Connection Example](#esrp-custom-signing-service-connection-example) + - [ESRP Malware Scanning Template Overview](#esrp-malware-scanning-template-overview) + - [ESRP Scanning Custom Service Example](#esrp-scanning-custom-service-example) + - [Software Bill Of Materials (SBOM or Manifest) template](#software-bill-of-materials-sbom-or-manifest-template) + ## Template setup The following sample shows how the templates can be included in your release YAML. @@ -66,6 +86,20 @@ The following sample shows how the templates can be included in your release YAM APIScan: false # set to false when not using Windows APIs. ``` +## Daily build Compliance template + +This example add the template for a daily build. +It will automatically skip for PRs. +It should be put near the end of the job. + +```yaml + - template: dailyBuildCompliance.yml@ComplianceRepo + parameters: + sourceScanPath: '$(repoPath)' +``` + +## Task templates + ### Credential Scanner The Credential Scanner can be configured to ignore paths (including folders), @@ -126,9 +160,9 @@ specified with the "or" operator: `|`, not with multiple XML tags. See the internal [wiki](https://www.1eswiki.com/wiki/PoliCheck_Build_Task) for more information about this ADO task. -## ESRP Signing Template Overview +### ESRP Signing Template Overview -** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** +**Requires on-boarding**, see the wiki in the internal PowerShell Maintainers teams channel. Make sure to create the variable group named `ESRP` and make it available to the pipeline. Details can be found in the PowerShell Maintainers teams channel's Wiki tab. @@ -178,7 +212,7 @@ Details can be found in the PowerShell Maintainers teams channel's Wiki tab. ``` -### ESRP Authenticode minimatch example +#### ESRP Authenticode minimatch example This example signs `dll` and `psm1` files recursively and `psd1` files in the root of the `buildOutputPath`, using minimatch. @@ -197,7 +231,7 @@ For full features see: https://github.com/isaacs/minimatch#features useMinimatch: true ``` -### ESRP Authenticode preview certificate +#### ESRP Authenticode preview certificate This example signs `dll` and `psm1` files recursively and `psd1` files in the root of the `buildOutputPath`, using minimatch. @@ -216,7 +250,7 @@ For full features see: https://github.com/isaacs/minimatch#features useMinimatch: true ``` -### ESRP RPM example +#### ESRP RPM example This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. @@ -233,8 +267,7 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. useMinimatch: true ``` - -### ESRP NuPkg example +#### ESRP NuPkg example This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. @@ -251,7 +284,7 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. useMinimatch: true ``` -### ESRP macOS example +#### ESRP macOS example This example signs `pkg` files recursively, using minimatch. @@ -268,7 +301,8 @@ This example signs `pkg` files recursively, using minimatch. useMinimatch: true ``` -### ESRP custom signing JSON example +#### ESRP custom signing JSON example + 1. Set the build variable `ESRP_TEMPLATE_CUSTOM_JSON` to your desired ESRP JSON string. 2. Call EsrpSign.yml@ComplianceRepo with certificateId: "" and useCustomEsrpJson: true. @@ -320,7 +354,7 @@ This example signs `pkg` files recursively, using minimatch. useCustomEsrpJson: true ``` -### ESRP Custom Signing Service Connection Example +#### ESRP Custom Signing Service Connection Example This example uses a custom signing (Azure DevOps) service connection name. @@ -337,9 +371,9 @@ This example uses a custom signing (Azure DevOps) service connection name. ``` -## ESRP Malware Scanning Template Overview +#### ESRP Malware Scanning Template Overview -** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** +**Requires on-boarding**, see the wiki in the internal PowerShell Maintainers teams channel. Details can be found in the PowerShell Maintainers teams channel's Wiki tab. @@ -370,7 +404,7 @@ scanning on each upload will allow us to detect when any malware was introduced. scanningService: 'pwshEsrpScanning' ``` -### ESRP Scanning Custom Service Example +#### ESRP Scanning Custom Service Example This example uses a custom ESRP malware scanning (Azure DevOps) service name. @@ -386,14 +420,15 @@ This example uses a custom ESRP malware scanning (Azure DevOps) service name. ``` -### Daily build Compliance template +### Software Bill Of Materials (SBOM or Manifest) template -This example add the template for a daily build. -It will automatically skip for PRs. -It should be put near the end of the job. +This should be done after the build is done and all files are generated, +but you have not packaged yet. ```yaml - - template: dailyBuildCompliance.yml@ComplianceRepo + - template: Sbom.yml@ComplianceRepo parameters: - sourceScanPath: '$(repoPath)' + BuildDropPath: '$(System.ArtifactsDirectory)/dotnetPublishOutput' + Build_Repository_Uri: 'https://github.com/powershell/powershell.git' + displayName: PowerShell SBOM ``` From f5c8ff4c07284f1b39583bd82fa699e61c4cdfb4 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 6 Oct 2021 17:46:08 +0000 Subject: [PATCH 8/9] fix scanning indentation --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 52709e7..0d57703 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,7 @@ The step templates can be included in the repository using [multi-checkout](http - [ESRP macOS example](#esrp-macos-example) - [ESRP custom signing JSON example](#esrp-custom-signing-json-example) - [ESRP Custom Signing Service Connection Example](#esrp-custom-signing-service-connection-example) - - [ESRP Malware Scanning Template Overview](#esrp-malware-scanning-template-overview) + - [ESRP Malware Scanning Template Overview](#esrp-malware-scanning-template-overview) - [ESRP Scanning Custom Service Example](#esrp-scanning-custom-service-example) - [Software Bill Of Materials (SBOM or Manifest) template](#software-bill-of-materials-sbom-or-manifest-template) @@ -371,7 +371,7 @@ This example uses a custom signing (Azure DevOps) service connection name. ``` -#### ESRP Malware Scanning Template Overview +### ESRP Malware Scanning Template Overview **Requires on-boarding**, see the wiki in the internal PowerShell Maintainers teams channel. From ef118018ab815544a79e460b0a7e41216c3dfb0c Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 6 Oct 2021 11:28:07 -0700 Subject: [PATCH 9/9] Update Sbom.yml --- Sbom.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/Sbom.yml b/Sbom.yml index e8aff50..08a7235 100644 --- a/Sbom.yml +++ b/Sbom.yml @@ -30,9 +30,6 @@ steps: # ManifestDirPath: '_manifest' # configuration json for the tool # ConfigFilePath: config.json - env: - Build.Repository.Uri: ${{ parameters.Build_Repository_Uri }} - # This will break signing, but it is currently not enabled. - pwsh: | $manifestPath = Join-Path '${{ parameters.BuildDropPath }}' -ChildPath '_manifest\manifest.json'