msbuild
86 строк · 3.5 Кб
1parameters:
2overrideGuardianVersion: ''
3executeAllSdlToolsScript: ''
4overrideParameters: ''
5additionalParameters: ''
6publishGuardianDirectoryToPipeline: false
7sdlContinueOnError: false
8condition: ''
9
10steps:
11- task: NuGetAuthenticate@1
12
13- task: NuGetToolInstaller@1
14displayName: 'Install NuGet.exe'
15
16- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
17- pwsh: |
18Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
19. .\sdl.ps1
20$guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts -Version ${{ parameters.overrideGuardianVersion }}
21Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
22displayName: Install Guardian (Overridden)
23
24- ${{ if eq(parameters.overrideGuardianVersion, '') }}:
25- pwsh: |
26Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
27. .\sdl.ps1
28$guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts
29Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
30displayName: Install Guardian
31
32- ${{ if ne(parameters.overrideParameters, '') }}:
33- powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
34displayName: Execute SDL (Overridden)
35continueOnError: ${{ parameters.sdlContinueOnError }}
36condition: ${{ parameters.condition }}
37
38- ${{ if eq(parameters.overrideParameters, '') }}:
39- powershell: ${{ parameters.executeAllSdlToolsScript }}
40-GuardianCliLocation $(GuardianCliLocation)
41-NugetPackageDirectory $(Build.SourcesDirectory)\.packages
42-AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
43${{ parameters.additionalParameters }}
44displayName: Execute SDL
45continueOnError: ${{ parameters.sdlContinueOnError }}
46condition: ${{ parameters.condition }}
47
48- ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
49# We want to publish the Guardian results and configuration for easy diagnosis. However, the
50# '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
51# tooling files. Some of these files are large and aren't useful during an investigation, so
52# exclude them by simply deleting them before publishing. (As of writing, there is no documented
53# way to selectively exclude a dir from the pipeline artifact publish task.)
54- task: DeleteFiles@1
55displayName: Delete Guardian dependencies to avoid uploading
56inputs:
57SourceFolder: $(Agent.BuildDirectory)/.gdn
58Contents: |
59c
60i
61condition: succeededOrFailed()
62
63- publish: $(Agent.BuildDirectory)/.gdn
64artifact: GuardianConfiguration
65displayName: Publish GuardianConfiguration
66condition: succeededOrFailed()
67
68# Publish the SARIF files in a container named CodeAnalysisLogs to enable integration
69# with the "SARIF SAST Scans Tab" Azure DevOps extension
70- task: CopyFiles@2
71displayName: Copy SARIF files
72inputs:
73flattenFolders: true
74sourceFolder: $(Agent.BuildDirectory)/.gdn/rc/
75contents: '**/*.sarif'
76targetFolder: $(Build.SourcesDirectory)/CodeAnalysisLogs
77condition: succeededOrFailed()
78
79# Use PublishBuildArtifacts because the SARIF extension only checks this case
80# see microsoft/sarif-azuredevops-extension#4
81- task: PublishBuildArtifacts@1
82displayName: Publish SARIF files to CodeAnalysisLogs container
83inputs:
84pathToPublish: $(Build.SourcesDirectory)/CodeAnalysisLogs
85artifactName: CodeAnalysisLogs
86condition: succeededOrFailed()