msbuild

1
parameters:
2
  overrideGuardianVersion: ''
3
  executeAllSdlToolsScript: ''
4
  overrideParameters: ''
5
  additionalParameters: ''
6
  publishGuardianDirectoryToPipeline: false
7
  sdlContinueOnError: false
8
  condition: ''
9

10
steps:
11
- task: NuGetAuthenticate@1
12

13
- task: NuGetToolInstaller@1
14
  displayName: 'Install NuGet.exe'
15
  
16
- ${{ if ne(parameters.overrideGuardianVersion, '') }}:
17
  - pwsh: |
18
      Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
19
      . .\sdl.ps1
20
      $guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts -Version ${{ parameters.overrideGuardianVersion }}
21
      Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
22
    displayName: Install Guardian (Overridden)
23

24
- ${{ if eq(parameters.overrideGuardianVersion, '') }}:
25
  - pwsh: |
26
      Set-Location -Path $(Build.SourcesDirectory)\eng\common\sdl
27
      . .\sdl.ps1
28
      $guardianCliLocation = Install-Gdn -Path $(Build.SourcesDirectory)\.artifacts
29
      Write-Host "##vso[task.setvariable variable=GuardianCliLocation]$guardianCliLocation"
30
    displayName: Install Guardian
31

32
- ${{ if ne(parameters.overrideParameters, '') }}:
33
  - powershell: ${{ parameters.executeAllSdlToolsScript }} ${{ parameters.overrideParameters }}
34
    displayName: Execute SDL (Overridden)
35
    continueOnError: ${{ parameters.sdlContinueOnError }}
36
    condition: ${{ parameters.condition }}
37
    env:
38
      GUARDIAN_DEFAULT_PACKAGE_SOURCE_SECRET: $(System.AccessToken)
39

40
- ${{ if eq(parameters.overrideParameters, '') }}:
41
  - powershell: ${{ parameters.executeAllSdlToolsScript }}
42
      -GuardianCliLocation $(GuardianCliLocation)
43
      -NugetPackageDirectory $(Build.SourcesDirectory)\.packages
44
      ${{ parameters.additionalParameters }}
45
    displayName: Execute SDL
46
    continueOnError: ${{ parameters.sdlContinueOnError }}
47
    condition: ${{ parameters.condition }}
48
    env:
49
      GUARDIAN_DEFAULT_PACKAGE_SOURCE_SECRET: $(System.AccessToken)
50

51
- ${{ if ne(parameters.publishGuardianDirectoryToPipeline, 'false') }}:
52
  # We want to publish the Guardian results and configuration for easy diagnosis. However, the
53
  # '.gdn' dir is a mix of configuration, results, extracted dependencies, and Guardian default
54
  # tooling files. Some of these files are large and aren't useful during an investigation, so
55
  # exclude them by simply deleting them before publishing. (As of writing, there is no documented
56
  # way to selectively exclude a dir from the pipeline artifact publish task.)
57
  - task: DeleteFiles@1
58
    displayName: Delete Guardian dependencies to avoid uploading
59
    inputs:
60
      SourceFolder: $(Agent.BuildDirectory)/.gdn
61
      Contents: |
62
        c
63
        i
64
    condition: succeededOrFailed()
65

66
  - publish: $(Agent.BuildDirectory)/.gdn
67
    artifact: GuardianConfiguration
68
    displayName: Publish GuardianConfiguration
69
    condition: succeededOrFailed()
70

71
  # Publish the SARIF files in a container named CodeAnalysisLogs to enable integration
72
  # with the "SARIF SAST Scans Tab" Azure DevOps extension
73
  - task: CopyFiles@2
74
    displayName: Copy SARIF files
75
    inputs:
76
      flattenFolders: true
77
      sourceFolder:  $(Agent.BuildDirectory)/.gdn/rc/
78
      contents: '**/*.sarif'
79
      targetFolder: $(Build.SourcesDirectory)/CodeAnalysisLogs
80
    condition: succeededOrFailed()
81

82
  # Use PublishBuildArtifacts because the SARIF extension only checks this case
83
  # see microsoft/sarif-azuredevops-extension#4
84
  - task: PublishBuildArtifacts@1
85
    displayName: Publish SARIF files to CodeAnalysisLogs container
86
    inputs:
87
      pathToPublish:  $(Build.SourcesDirectory)/CodeAnalysisLogs
88
      artifactName: CodeAnalysisLogs
89
    condition: succeededOrFailed()