2
[string] $GuardianPackageName, # Required: the name of guardian CLI package (not needed if GuardianCliLocation is specified)
3
[string] $NugetPackageDirectory, # Required: directory where NuGet packages are installed (not needed if GuardianCliLocation is specified)
4
[string] $GuardianCliLocation, # Optional: Direct location of Guardian CLI executable if GuardianPackageName & NugetPackageDirectory are not specified
5
[string] $Repository=$env:BUILD_REPOSITORY_NAME, # Required: the name of the repository (e.g. dotnet/arcade)
6
[string] $BranchName=$env:BUILD_SOURCEBRANCH, # Optional: name of branch or version of gdn settings; defaults to master
7
[string] $SourceDirectory=$env:BUILD_SOURCESDIRECTORY, # Required: the directory where source files are located
8
[string] $ArtifactsDirectory = (Join-Path $env:BUILD_ARTIFACTSTAGINGDIRECTORY ('artifacts')), # Required: the directory where build artifacts are located10
# Optional: list of SDL tools to run on source code. See 'configure-sdl-tool.ps1' for tools list
12
[object[]] $SourceToolsList,
13
# Optional: list of SDL tools to run on built artifacts. See 'configure-sdl-tool.ps1' for tools
15
[object[]] $ArtifactToolsList,
16
# Optional: list of SDL tools to run without automatically specifying a target directory. See
17
# 'configure-sdl-tool.ps1' for tools list format.
18
[object[]] $CustomToolsList,
20
[bool] $TsaPublish=$False, # Optional: true will publish results to TSA; only set to true after onboarding to TSA; TSA is the automated framework used to upload test results as bugs.
21
[string] $TsaBranchName=$env:BUILD_SOURCEBRANCH, # Optional: required for TSA publish; defaults to $(Build.SourceBranchName); TSA is the automated framework used to upload test results as bugs.
22
[string] $TsaRepositoryName=$env:BUILD_REPOSITORY_NAME, # Optional: TSA repository name; will be generated automatically if not submitted; TSA is the automated framework used to upload test results as bugs.
23
[string] $BuildNumber=$env:BUILD_BUILDNUMBER, # Optional: required for TSA publish; defaults to $(Build.BuildNumber)
24
[bool] $UpdateBaseline=$False, # Optional: if true, will update the baseline in the repository; should only be run after fixing any issues which need to be fixed
25
[bool] $TsaOnboard=$False, # Optional: if true, will onboard the repository to TSA; should only be run once; TSA is the automated framework used to upload test results as bugs.
26
[string] $TsaInstanceUrl, # Optional: only needed if TsaOnboard or TsaPublish is true; the instance-url registered with TSA; TSA is the automated framework used to upload test results as bugs.
27
[string] $TsaCodebaseName, # Optional: only needed if TsaOnboard or TsaPublish is true; the name of the codebase registered with TSA; TSA is the automated framework used to upload test results as bugs.
28
[string] $TsaProjectName, # Optional: only needed if TsaOnboard or TsaPublish is true; the name of the project registered with TSA; TSA is the automated framework used to upload test results as bugs.
29
[string] $TsaNotificationEmail, # Optional: only needed if TsaOnboard is true; the email(s) which will receive notifications of TSA bug filings (e.g. alias@microsoft.com); TSA is the automated framework used to upload test results as bugs.
30
[string] $TsaCodebaseAdmin, # Optional: only needed if TsaOnboard is true; the aliases which are admins of the TSA codebase (e.g. DOMAIN\alias); TSA is the automated framework used to upload test results as bugs.
31
[string] $TsaBugAreaPath, # Optional: only needed if TsaOnboard is true; the area path where TSA will file bugs in AzDO; TSA is the automated framework used to upload test results as bugs.
32
[string] $TsaIterationPath, # Optional: only needed if TsaOnboard is true; the iteration path where TSA will file bugs in AzDO; TSA is the automated framework used to upload test results as bugs.
33
[string] $GuardianLoggerLevel='Standard', # Optional: the logger level for the Guardian CLI; options are Trace, Verbose, Standard, Warning, and Error
34
[string[]] $CrScanAdditionalRunConfigParams, # Optional: Additional Params to custom build a CredScan run config in the format @("xyz:abc","sdf:1")35
[string[]] $PoliCheckAdditionalRunConfigParams, # Optional: Additional Params to custom build a Policheck run config in the format @("xyz:abc","sdf:1")36
[string[]] $CodeQLAdditionalRunConfigParams, # Optional: Additional Params to custom build a Semmle/CodeQL run config in the format @("xyz < abc","sdf < 1")37
[string[]] $BinskimAdditionalRunConfigParams, # Optional: Additional Params to custom build a Binskim run config in the format @("xyz < abc","sdf < 1")38
[bool] $BreakOnFailure=$False # Optional: Fail the build if there were errors during the run
42
$ErrorActionPreference = 'Stop'
43
Set-StrictMode -Version 2.0
44
$disableConfigureToolsetImport = $true
45
$global:LASTEXITCODE = 0
47
# `tools.ps1` checks $ci to perform some actions. Since the SDL
48
# scripts don't necessarily execute in the same agent that run the
49
# build.ps1/sh script this variable isn't automatically set.
51
. $PSScriptRoot\..\tools.ps1
53
#Replace repo names to the format of org/repo
54
if (!($Repository.contains('/'))) {55
$RepoName = $Repository -replace '(.*?)-(.*)', '$1/$2';
58
$RepoName = $Repository;
61
if ($GuardianPackageName) {62
$guardianCliLocation = Join-Path $NugetPackageDirectory (Join-Path $GuardianPackageName (Join-Path 'tools' 'guardian.cmd'))
64
$guardianCliLocation = $GuardianCliLocation
67
$workingDirectory = (Split-Path $SourceDirectory -Parent)
68
$ValidPath = Test-Path $guardianCliLocation
70
if ($ValidPath -eq $False)
72
Write-PipelineTelemetryError -Force -Category 'Sdl' -Message 'Invalid Guardian CLI Location.'
77
& $(Join-Path $PSScriptRoot 'init-sdl.ps1') -GuardianCliLocation $guardianCliLocation -Repository $RepoName -BranchName $BranchName -WorkingDirectory $workingDirectory -GuardianLoggerLevel $GuardianLoggerLevel
79
$gdnFolder = Join-Path $workingDirectory '.gdn'
82
if ($TsaCodebaseName -and $TsaNotificationEmail -and $TsaCodebaseAdmin -and $TsaBugAreaPath) {84
& $guardianCliLocation tsa-onboard --codebase-name "$TsaCodebaseName" --notification-alias "$TsaNotificationEmail" --codebase-admin "$TsaCodebaseAdmin" --instance-url "$TsaInstanceUrl" --project-name "$TsaProjectName" --area-path "$TsaBugAreaPath" --iteration-path "$TsaIterationPath" --working-directory $workingDirectory --logger-level $GuardianLoggerLevel
86
if ($LASTEXITCODE -ne 0) {87
Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Guardian tsa-onboard failed with exit code $LASTEXITCODE."
88
ExitWithExitCode $LASTEXITCODE
91
Write-PipelineTelemetryError -Force -Category 'Sdl' -Message 'Could not onboard to TSA -- not all required values ($TsaCodebaseName, $TsaNotificationEmail, $TsaCodebaseAdmin, $TsaBugAreaPath) were specified.'
96
# Configure a list of tools with a default target directory. Populates the ".gdn/r" directory.
97
function Configure-ToolsList([object[]] $tools, [string] $targetDirectory) {98
if ($tools -and $tools.Count -gt 0) {100
& $(Join-Path $PSScriptRoot 'configure-sdl-tool.ps1') `
101
-GuardianCliLocation $guardianCliLocation `
102
-WorkingDirectory $workingDirectory `
103
-TargetDirectory $targetDirectory `
104
-GdnFolder $gdnFolder `
106
-GuardianLoggerLevel $GuardianLoggerLevel `
107
-CrScanAdditionalRunConfigParams $CrScanAdditionalRunConfigParams `
108
-PoliCheckAdditionalRunConfigParams $PoliCheckAdditionalRunConfigParams `
109
-CodeQLAdditionalRunConfigParams $CodeQLAdditionalRunConfigParams `
110
-BinskimAdditionalRunConfigParams $BinskimAdditionalRunConfigParams
111
if ($BreakOnFailure) {118
# Configure Artifact and Source tools with default Target directories.
119
Configure-ToolsList $ArtifactToolsList $ArtifactsDirectory
120
Configure-ToolsList $SourceToolsList $SourceDirectory
121
# Configure custom tools with no default Target directory.
122
Configure-ToolsList $CustomToolsList $null
124
# At this point, all tools are configured in the ".gdn" directory. Run them all in a single call.
125
# (If we used "run" multiple times, each run would overwrite data from earlier runs.)
126
Exec-BlockVerbosely {127
& $(Join-Path $PSScriptRoot 'run-sdl.ps1') `
128
-GuardianCliLocation $guardianCliLocation `
129
-WorkingDirectory $SourceDirectory `
130
-UpdateBaseline $UpdateBaseline `
131
-GdnFolder $gdnFolder
135
if ($TsaBranchName -and $BuildNumber) {136
if (-not $TsaRepositoryName) {137
$TsaRepositoryName = "$($Repository)-$($BranchName)"
139
Exec-BlockVerbosely {140
& $guardianCliLocation tsa-publish --all-tools --repository-name "$TsaRepositoryName" --branch-name "$TsaBranchName" --build-number "$BuildNumber" --onboard $True --codebase-name "$TsaCodebaseName" --notification-alias "$TsaNotificationEmail" --codebase-admin "$TsaCodebaseAdmin" --instance-url "$TsaInstanceUrl" --project-name "$TsaProjectName" --area-path "$TsaBugAreaPath" --iteration-path "$TsaIterationPath" --working-directory $workingDirectory --logger-level $GuardianLoggerLevel
142
if ($LASTEXITCODE -ne 0) {143
Write-PipelineTelemetryError -Force -Category 'Sdl' -Message "Guardian tsa-publish failed with exit code $LASTEXITCODE."
144
ExitWithExitCode $LASTEXITCODE
147
Write-PipelineTelemetryError -Force -Category 'Sdl' -Message 'Could not publish to TSA -- not all required values ($TsaBranchName, $BuildNumber) were specified.'
152
if ($BreakOnFailure) {153
Write-Host "Failing the build in case of breaking results..."
154
Exec-BlockVerbosely {155
& $guardianCliLocation break --working-directory $workingDirectory --logger-level $GuardianLoggerLevel
158
Write-Host "Letting the build pass even if there were breaking results..."
162
Write-Host $_.ScriptStackTrace
163
Write-PipelineTelemetryError -Force -Category 'Sdl' -Message $_