/
n-dimens
/
msbuild
GigaCode
beta
ОбзорЦентр заботыВойти

msbuild

Форк
0
Ветки: 189Коммиты: 8794Теги: 128
msbuild
/eng
/common
/sdl
/
configure-sdl-tool.ps1 
130 строк · 4.7 Кб
1
Param(
2
  [string] $GuardianCliLocation,
3
  [string] $WorkingDirectory,
4
  [string] $TargetDirectory,
5
  [string] $GdnFolder,
6
  # The list of Guardian tools to configure. For each object in the array:
7
  # - If the item is a [hashtable], it must contain these entries:
8
  #   - Name = The tool name as Guardian knows it.
9
  #   - Scenario = (Optional) Scenario-specific name for this configuration entry. It must be unique
10
  #     among all tool entries with the same Name.
11
  #   - Args = (Optional) Array of Guardian tool configuration args, like '@("Target > C:\temp")'
12
  # - If the item is a [string] $v, it is treated as '@{ Name="$v" }'
13
  [object[]] $ToolsList,
14
  [string] $GuardianLoggerLevel='Standard',
15
  # Optional: Additional params to add to any tool using CredScan.
16
  [string[]] $CrScanAdditionalRunConfigParams,
17
  # Optional: Additional params to add to any tool using PoliCheck.
18
  [string[]] $PoliCheckAdditionalRunConfigParams,
19
  # Optional: Additional params to add to any tool using CodeQL/Semmle.
20
  [string[]] $CodeQLAdditionalRunConfigParams,
21
  # Optional: Additional params to add to any tool using Binskim.
22
  [string[]] $BinskimAdditionalRunConfigParams
23
)
24


25
$ErrorActionPreference = 'Stop'
26
Set-StrictMode -Version 2.0
27
$disableConfigureToolsetImport = $true
28
$global:LASTEXITCODE = 0
29


30
try {
31
  # `tools.ps1` checks $ci to perform some actions. Since the SDL
32
  # scripts don't necessarily execute in the same agent that run the
33
  # build.ps1/sh script this variable isn't automatically set.
34
  $ci = $true
35
  . $PSScriptRoot\..\tools.ps1
36


37
  # Normalize tools list: all in [hashtable] form with defined values for each key.
38
  $ToolsList = $ToolsList |
39
    ForEach-Object {
40
      if ($_ -is [string]) {
41
        $_ = @{ Name = $_ }
42
      }
43


44
      if (-not ($_['Scenario'])) { $_.Scenario = "" }
45
      if (-not ($_['Args'])) { $_.Args = @() }
46
      $_
47
    }
48
  
49
  Write-Host "List of tools to configure:"
50
  $ToolsList | ForEach-Object { $_ | Out-String | Write-Host }
51


52
  # We store config files in the r directory of .gdn
53
  $gdnConfigPath = Join-Path $GdnFolder 'r'
54
  $ValidPath = Test-Path $GuardianCliLocation
55


56
  if ($ValidPath -eq $False)
57
  {
58
    Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Invalid Guardian CLI Location."
59
    ExitWithExitCode 1
60
  }
61


62
  foreach ($tool in $ToolsList) {
63
    # Put together the name and scenario to make a unique key.
64
    $toolConfigName = $tool.Name
65
    if ($tool.Scenario) {
66
      $toolConfigName += "_" + $tool.Scenario
67
    }
68


69
    Write-Host "=== Configuring $toolConfigName..."
70


71
    $gdnConfigFile = Join-Path $gdnConfigPath "$toolConfigName-configure.gdnconfig"
72


73
    # For some tools, add default and automatic args.
74
    switch -Exact ($tool.Name) {
75
      'credscan' {
76
        if ($targetDirectory) {
77
          $tool.Args += "`"TargetDirectory < $TargetDirectory`""
78
        }
79
        $tool.Args += "`"OutputType < pre`""
80
        $tool.Args += $CrScanAdditionalRunConfigParams
81
      }
82
      'policheck' {
83
        if ($targetDirectory) {
84
          $tool.Args += "`"Target < $TargetDirectory`""
85
        }
86
        $tool.Args += $PoliCheckAdditionalRunConfigParams
87
      }
88
      {$_ -in 'semmle', 'codeql'} {
89
        if ($targetDirectory) {
90
          $tool.Args += "`"SourceCodeDirectory < $TargetDirectory`""
91
        }
92
        $tool.Args += $CodeQLAdditionalRunConfigParams
93
      }
94
      'binskim' {
95
        if ($targetDirectory) {
96
          # Binskim crashes due to specific PDBs. GitHub issue: https://github.com/microsoft/binskim/issues/924.
97
          # We are excluding all `_.pdb` files from the scan.
98
          $tool.Args += "`"Target < $TargetDirectory\**;-:file|$TargetDirectory\**\_.pdb`""
99
        }
100
        $tool.Args += $BinskimAdditionalRunConfigParams
101
      }
102
    }
103


104
    # Create variable pointing to the args array directly so we can use splat syntax later.
105
    $toolArgs = $tool.Args
106


107
    # Configure the tool. If args array is provided or the current tool has some default arguments
108
    # defined, add "--args" and splat each element on the end. Arg format is "{Arg id} < {Value}",
109
    # one per parameter. Doc page for "guardian configure":
110
    # https://dev.azure.com/securitytools/SecurityIntegration/_wiki/wikis/Guardian/1395/configure
111
    Exec-BlockVerbosely {
112
      & $GuardianCliLocation configure `
113
        --working-directory $WorkingDirectory `
114
        --tool $tool.Name `
115
        --output-path $gdnConfigFile `
116
        --logger-level $GuardianLoggerLevel `
117
        --noninteractive `
118
        --force `
119
        $(if ($toolArgs) { "--args" }) @toolArgs
120
      Exit-IfNZEC "Sdl"
121
    }
122


123
    Write-Host "Created '$toolConfigName' configuration file: $gdnConfigFile"
124
  }
125
}
126
catch {
127
  Write-Host $_.ScriptStackTrace
128
  Write-PipelineTelemetryError -Force -Category 'Sdl' -Message $_
129
  ExitWithExitCode 1
130
}
131

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.