Huge refactor of project files to make compilation security settings easier

.github/actions/spelling/excludes.txt

@@ -44,6 +44,7 @@
 \.pdf$
 \.pem$
 \.png$
+\.props$
 \.psd$
 \.pyc$
 \.s$

.github/actions/spelling/expect.txt

@@ -68,6 +68,7 @@ cls
 clsctx
 clsid
 CODEOWNERS
+Codeql
 COINIT
 COMGLB
 commandline
@@ -216,20 +217,20 @@ LPICONDIR
 LPICONDIRENTRY
 LPICONIMAGE
 lpitemidlist
-LPW
-maclachlan
 LPSTR
+LPW
 LPWCH
 LPWSTR
 LSTATUS
 LTDA
 luffy
 Luffytaro
+maclachlan
 malware
 mapview
+Maxed
 maxvalue
 maybenull
-Maxed
 MBH
 mdmp
 MDs
@@ -284,8 +285,8 @@ nuffing
 objbase
 objidl
 ofile
-osfhandle
 OPTOUT
+osfhandle
 Outptr
 packageinuse
 packageinusebyapplication
@@ -348,8 +349,8 @@ riid
 roblox
 ronomon
 rosoft
-roy
 rowids
+roy
 RRF
 rrr
 runspace
@@ -359,6 +360,7 @@ rzkzqaqjwj
 SARL
 schematab
 sddl
+Semmle
 seof
 servercert
 servercertificate

azure-pipelines.yml

@@ -19,6 +19,10 @@ pool:
 variables:
   solution: 'src\AppInstallerCLI.sln'
   appxPackageDir: '$(Build.ArtifactStagingDirectory)/AppxPackages/'
+  # Enable CodeQL/Semmle static analysis for default branch
+  Codeql.Enabled: true
+  # TODO: Remove. Only for testing, we should use standard cadence of 72h
+  CodeQL.Cadence: 0
 
 # Do not set the build version for a PR build.
 
@@ -60,6 +64,10 @@ jobs:
     packageLayoutDir: $(Build.BinariesDirectory)\WingetPackageLayout
 
   steps:
+
+  # TODO: Remove; only to test in non-default branch
+  - task: CodeQL3000Init@0
+
   - task: NuGetToolInstaller@1
     displayName: Install Nuget
 
@@ -96,6 +104,9 @@ jobs:
       arguments: '-TargetFile binver\binver\version.h -BuildVersion $(BuildVer)'
       workingDirectory: 'src'
 
+  # TODO: remove
+  - powershell: Get-Volume; @('.', '$(Build.ArtifactStagingDirectory)') | %{ $mb = (Get-ChildItem $_ -Recurse | Measure-Object -Sum Length).Sum / (1024 * 1024); Write-Host "$_ :`t$mb MBs" }
+
   # Build all solutions in the root directory.
   - task: VSBuild@1
     displayName: Build Solution
@@ -109,6 +120,9 @@ jobs:
                     /p:AppxBundle=Always
                     /p:UapAppxPackageBuildMode=SideloadOnly'
 
+  - powershell: Get-Volume; @('.', '$(Build.ArtifactStagingDirectory)') | %{ $mb = (Get-ChildItem $_ -Recurse | Measure-Object -Sum Length).Sum / (1024 * 1024); Write-Host "$_ :`t$mb MBs" }
+    condition: always()
+
   - task: VSBuild@1
     displayName: Build Test Project
     inputs:
@@ -121,6 +135,41 @@ jobs:
                     /p:AppxBundle=Always
                     /p:UapAppxPackageBuildMode=SideloadOnly'
 
+  # Run static analysis and compliance checks for all the binaries
+  - task: ComponentGovernanceComponentDetection@0
+    displayName: Component Governance
+    inputs:
+      scanType: 'LogOnly'
+      verbosity: 'Verbose'
+      alertWarningLevel: 'High'
+      failOnAlert: true
+
+  - task: CredScan@3
+
+  # TODO: remove
+  - powershell: Get-Volume; @('.', '$(Build.ArtifactStagingDirectory)') | %{ $mb = (Get-ChildItem $_ -Recurse | Measure-Object -Sum Length).Sum / (1024 * 1024); Write-Host "$_ :`t$mb MBs" }
+    condition: always()
+
+  - task: BinSkim@4
+    inputs:
+      InputType: 'Basic'
+      Function: 'analyze'
+      TargetPattern: 'guardianGlob'
+      AnalyzeTargetGlob: 'f|$(buildOutDir)/**.dll;f|$(buildOutDir)/**.exe;f|$(Build.SourcesDirectory)\src\WinGetUtilInterop\bin\*.dll'
+    continueOnError: true # TODO: remove once we pass these checks
+
+  # TODO: remove
+  - powershell: Get-Volume; @('.', '$(Build.ArtifactStagingDirectory)') | %{ $mb = (Get-ChildItem $_ -Recurse | Measure-Object -Sum Length).Sum / (1024 * 1024); Write-Host "$_ :`t$mb MBs" }
+    condition: always()
+
+  - task: PublishSecurityAnalysisLogs@3
+    inputs:
+      ArtifactName: 'CodeAnalysisLogs'
+      ArtifactType: 'Container'
+      AllTools: true
+      ToolLogsNotFoundAction: 'Standard'
+    condition: succeededOrFailed()
+
   - task: CopyFiles@2
     displayName: 'Copy WindowsPackageManager.dll Symbols to artifacts folder'
     inputs:
@@ -329,28 +378,10 @@ jobs:
       targetPath: '$(artifactsDir)'
     condition: always()
 
-  - task: ComponentGovernanceComponentDetection@0
-    displayName: Component Governance
-    inputs:
-      scanType: 'Register'
-      verbosity: 'Verbose'
-      alertWarningLevel: 'High'
 
-  # Run BimSkim for all the binaries
-  - task: BinSkim@3
-    displayName: 'Run BinSkim '
-    inputs:
-      arguments: 'analyze
-        "$(buildOutDir)\AppInstallerCLI\winget.exe"
-        "$(buildOutDir)\WinGetUtil\WinGetUtil.dll"
-        "$(buildOutDir)\WindowsPackageManager\WindowsPackageManager.dll"
-        "$(buildOutDir)\Microsoft.Management.Deployment.InProc\Microsoft.Management.Deployment.InProc.dll"
-        "$(Build.SourcesDirectory)\src\WinGetUtilInterop\bin\WinGetUtil*Interop.dll"
-        "$(buildOutDir)\UndockedRegFreeWinRT\winrtact.dll"
-        "$(buildOutDir)\Microsoft.WinGet.Client\Microsoft.WinGet.*Client.dll" --config default --recurse'
-
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
-    displayName: 'Publish Security Analysis Logs'
+  # TODO: Remove; only to test in non-default branch
+  - task: CodeQL3000Finalize@0
+    condition: always()
 
 - job: 'BuildPowerShellModule'
   timeoutInMinutes: 120

src/AppInstallerCLI.sln

@@ -98,6 +98,7 @@ EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{1A5D7A7D-5CB2-47D5-B40D-4E61CAEDC798}"
 	ProjectSection(SolutionItems) = preProject
 		CodeAnalysis.ruleset = CodeAnalysis.ruleset
+		Directory.Build.props = Directory.Build.props
 		nuget.config = nuget.config
 		stylecop.json = stylecop.json
 	EndProjectSection