msbuild

1
parameters:
2
  overrideGuardianVersion: ''
3
  executeAllSdlToolsScript: ''
4
  overrideParameters: ''
5
  additionalParameters: ''
6
  publishGuardianDirectoryToPipeline: false
7
  sdlContinueOnError: false
8
  condition: ''
9

10
steps:
11
- task: NuGetAuthenticate@1
12

13
- task: NuGetToolInstaller@1
14
  displayName: 'Install NuGet.exe'
15
  
16
- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
17
  - pwsh: |
18
      Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
19
      . .\sdl.ps1
20
      $guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts -Version ${{ parameters.overrideGuardianVersion }}
21
      Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
22
    displayName: Install Guardian (Overridden)
23

24
- ${{ if eq(parameters.overrideGuardianVersion, '') }}:
25
  - pwsh: |
26
      Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
27
      . .\sdl.ps1
28
      $guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts
29
      Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
30
    displayName: Install Guardian
31

32
- ${{ if ne(parameters.overrideParameters, '') }}:
33
  - powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
34
    displayName: Execute SDL (Overridden)
35
    continueOnError: ${{ parameters.sdlContinueOnError }}
36
    condition: ${{ parameters.condition }}
37

38
- ${{ if eq(parameters.overrideParameters, '') }}:
39
  - powershell: ${{ parameters.executeAllSdlToolsScript }}
40
      -GuardianCliLocation $(GuardianCliLocation)
41
      -NugetPackageDirectory $(Build.SourcesDirectory)\.packages
42
      -AzureDevOpsAccessToken $(dn-bot-dotnet-build-rw-code-rw)
43
      ${{ parameters.additionalParameters }}
44
    displayName: Execute SDL
45
    continueOnError: ${{ parameters.sdlContinueOnError }}
46
    condition: ${{ parameters.condition }}
47

48
- ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
49
  # We want to publish the Guardian results and configuration for easy diagnosis. However, the
50
  # '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
51
  # tooling files. Some of these files are large and aren't useful during an investigation, so
52
  # exclude them by simply deleting them before publishing. (As of writing, there is no documented
53
  # way to selectively exclude a dir from the pipeline artifact publish task.)
54
  - task: DeleteFiles@1
55
    displayName: Delete Guardian dependencies to avoid uploading
56
    inputs:
57
      SourceFolder: $(Agent.BuildDirectory)/.gdn
58
      Contents: |
59
        c
60
        i
61
    condition: succeededOrFailed()
62

63
  - publish: $(Agent.BuildDirectory)/.gdn
64
    artifact: GuardianConfiguration
65
    displayName: Publish GuardianConfiguration
66
    condition: succeededOrFailed()
67

68
  # Publish the SARIF files in a container named CodeAnalysisLogs to enable integration
69
  # with the "SARIF SAST Scans Tab" Azure DevOps extension
70
  - task: CopyFiles@2
71
    displayName: Copy SARIF files
72
    inputs:
73
      flattenFolders: true
74
      sourceFolder:  $(Agent.BuildDirectory)/.gdn/rc/
75
      contents: '**/*.sarif'
76
      targetFolder: $(Build.SourcesDirectory)/CodeAnalysisLogs
77
    condition: succeededOrFailed()
78

79
  # Use PublishBuildArtifacts because the SARIF extension only checks this case
80
  # see microsoft/sarif-azuredevops-extension#4
81
  - task: PublishBuildArtifacts@1
82
    displayName: Publish SARIF files to CodeAnalysisLogs container
83
    inputs:
84
      pathToPublish:  $(Build.SourcesDirectory)/CodeAnalysisLogs
85
      artifactName: CodeAnalysisLogs
86
    condition: succeededOrFailed()