From 0cb2a22f8837bc015e8e573103c2bd88808c5a60 Mon Sep 17 00:00:00 2001 From: OneBranch Resources Date: Mon, 11 Mar 2024 17:03:25 +0000 Subject: [PATCH 1/8] Adding OneBranch pipeline YAML config file for OSS_Microsoft_PSSA-Official --- .config/tsaoptions.json | 15 +++ .pipelines/OSS_Microsoft_PSSA-Official.yml | 140 +++++++++++++++++++++ 2 files changed, 155 insertions(+) create mode 100644 .config/tsaoptions.json create mode 100644 .pipelines/OSS_Microsoft_PSSA-Official.yml diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json new file mode 100644 index 000000000..13fecf5f5 --- /dev/null +++ b/.config/tsaoptions.json @@ -0,0 +1,15 @@ +{ + "instanceUrl": "https://msazure.visualstudio.com", + "projectName": "One", + "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell", + "notificationAliases": [ + "jimtru@microsoft.com", + "slee@microsoft.com" + ], + "codebaseName": "PSSA_202403", + "tools": [ + "CredScan", + "PoliCheck", + "BinSkim" + ] +} diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml new file mode 100644 index 000000000..118e39136 --- /dev/null +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -0,0 +1,140 @@ +# This Yaml Document has been converted by ESAI Yaml Pipeline Conversion Tool. +# Please make sure to check all the converted content, it is your team's responsibility to make sure that the pipeline is still valid and functions as expected. +# This pipeline will be extended to the OneBranch template +name: PSSA-Release-$(Build.BuildId) +trigger: none +pr: + branches: + include: + - master + - release* +variables: +- name: DOTNET_CLI_TELEMETRY_OPTOUT + value: 1 +- name: POWERSHELL_TELEMETRY_OPTOUT + value: 1 +- name: WindowsContainerImage + value: onebranch.azurecr.io/windows/ltsc2019/vse2022:latest +resources: + repositories: + - repository: ComplianceRepo + type: github + endpoint: ComplianceGHRepo + name: PowerShell/compliance + ref: master + - repository: onebranchTemplates + type: git + name: OneBranch.Pipelines/GovernedTemplates + ref: refs/heads/main +extends: + template: v2/OneBranch.Official.CrossPlat.yml@onebranchTemplates + parameters: + customTags: 'ES365AIMigrationTooling' + globalSdl: + runMode: stage + perStage: + stageName: + tsa: + configFile: $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json + + stages: + - stage: Build + displayName: Build + jobs: + - job: Build_Job + displayName: Build Microsoft.PowerShell.ScriptAnalyzer + variables: + - group: ESRP + - name: ob_outputDirectory + value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + pool: + type: windows + steps: + - checkout: self + - checkout: ComplianceRepo + + - pwsh: | + if (-not (Test-Path $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json)) { + Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue + throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config" + } + displayName: Test if tsaoptions.json exists + + - pwsh: | + New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/.config -Force -Verbose + Copy-Item '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json' '$(Build.SourcesDirectory)/.config/tsaoptions.json' -Force -Verbose + displayName: Copy tsaoptions + + - pwsh: | + Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + try { ./build.ps1 -Configuration Release -All } catch { throw $_ } + displayName: Execute build + - pwsh: | + $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" + # Set signing src path variable + $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" + Write-Host "sending $vstsCommandString" + Write-Host "##$vstsCommandString" + $signOutStep1 = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Step1" + $null = New-Item -ItemType Directory -Path $signOutStep1 + # Set signing out path variable + $vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}" + Write-Host "sending $vstsCommandString" + Write-Host "##$vstsCommandString" + $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed" + $null = New-Item -ItemType Directory -Path $signOutPath + # Set signing out path variable + $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" + Write-Host "sending $vstsCommandString" + Write-Host "##$vstsCommandString" + # Set path variable for guardian codesign validation + $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}" + Write-Host "sending $vstsCommandString" + Write-Host "##$vstsCommandString" + # Get version and create a variable + $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" + $moduleVersion = $moduleData.ModuleVersion + $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" + Write-Host "sending $vstsCommandString" + Write-Host "##$vstsCommandString" + displayName: Setup variables for signing + + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signSrcPath) + signOutputPath: $(signOutStep1) + certificateId: "CP-230012" + useMinimatch: true + pattern: | + **\*.psd1 + **\*.psm1 + **\*.ps1xml + **\Microsoft*.dll + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signOutStep1) + signOutputPath: $(signOutPath) + certificateId: "CP-231522" + useMinimatch: true + pattern: | + **/Pluralize*.dll + **/Newtonsoft*.dll + - template: Sbom.yml@ComplianceRepo + parameters: + BuildDropPath: $(signOutPath) + Build_Repository_Uri: 'https://github.com/powershell/PSScriptAnalyzer' + - pwsh: | + Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + ./build -BuildNupkg -CopyManifest -signed + displayName: Create nupkg for publishing + - task: CopyFiles@2 + displayName: "Copy Files for 'publish build directory' publish task" + inputs: + SourceFolder: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + Contents: '**' + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/build + - task: CopyFiles@2 + displayName: "Copy Files for 'Publish module nupkg' publish task" + inputs: + Contents: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" + TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/nupkg From 9fa47ae24592caebb172e7b171f7206e859a9dc3 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 11:05:27 -0700 Subject: [PATCH 2/8] Updates to signing and TSA --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 85 +++++++++++++++------- 1 file changed, 60 insertions(+), 25 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 118e39136..d310895a9 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -31,11 +31,21 @@ extends: parameters: customTags: 'ES365AIMigrationTooling' globalSdl: - runMode: stage - perStage: - stageName: - tsa: - configFile: $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json + sbom: + enabled: false + codeql: + compiled: + enabled: false + asyncSdl: # https://aka.ms/obpipelines/asyncsdl + enabled: true + forStages: [Build] + credscan: + enabled: true + scanFolder: $(Build.ArtifactStagingDirectory)\OSS_Microsoft_PSSA + binskim: + enabled: true + apiscan: + enabled: false stages: - stage: Build @@ -47,6 +57,10 @@ extends: - group: ESRP - name: ob_outputDirectory value: '$(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT' + - name: repoRoot + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA + - name: ob_sdl_tsa_configFile + value: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA\.config\tsaoptions.json pool: type: windows steps: @@ -99,40 +113,61 @@ extends: Write-Host "##$vstsCommandString" displayName: Setup variables for signing - - template: EsrpSign.yml@ComplianceRepo - parameters: - buildOutputPath: $(signSrcPath) - signOutputPath: $(signOutStep1) - certificateId: "CP-230012" - useMinimatch: true - pattern: | - **\*.psd1 - **\*.psm1 - **\*.ps1xml - **\Microsoft*.dll - - template: EsrpSign.yml@ComplianceRepo - parameters: - buildOutputPath: $(signOutStep1) - signOutputPath: $(signOutPath) - certificateId: "CP-231522" - useMinimatch: true - pattern: | - **/Pluralize*.dll - **/Newtonsoft*.dll + - task: onebranch.pipeline.signing@1 + displayName: 'Sign the build output' + inputs: + command: 'sign' + cp_code: 'CP-230012' + files_to_sign: '**\*.psd1;**\*.psm1','**\*.ps1xml','**\Microsoft*.dll' + search_root: $(signSrcPath) + + - task: onebranch.pipeline.signing@1 + displayName: 'Sign the build output' + inputs: + command: 'sign' + cp_code: 'CP-231522' + files_to_sign: '**/Pluralize*.dll', '**/Newtonsoft*.dll' + search_root: $(signSrcPath) + + # - template: EsrpSign.yml@ComplianceRepo + # parameters: + # buildOutputPath: $(signSrcPath) + # signOutputPath: $(signOutStep1) + # certificateId: "CP-230012" + # useMinimatch: true + # pattern: | + # **\*.psd1 + # **\*.psm1 + # **\*.ps1xml + # **\Microsoft*.dll + + # - template: EsrpSign.yml@ComplianceRepo + # parameters: + # buildOutputPath: $(signOutStep1) + # signOutputPath: $(signOutPath) + # certificateId: "CP-231522" + # useMinimatch: true + # pattern: | + # **/Pluralize*.dll + # **/Newtonsoft*.dll + - template: Sbom.yml@ComplianceRepo parameters: BuildDropPath: $(signOutPath) Build_Repository_Uri: 'https://github.com/powershell/PSScriptAnalyzer' + - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" ./build -BuildNupkg -CopyManifest -signed displayName: Create nupkg for publishing + - task: CopyFiles@2 displayName: "Copy Files for 'publish build directory' publish task" inputs: SourceFolder: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" Contents: '**' TargetFolder: $(Build.ArtifactStagingDirectory)/ONEBRANCH_ARTIFACT/build + - task: CopyFiles@2 displayName: "Copy Files for 'Publish module nupkg' publish task" inputs: From 23956e73706293e7c2697900797c52b8204b1ae6 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 11:10:09 -0700 Subject: [PATCH 3/8] Fix typo --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index d310895a9..2fb5b1a85 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -118,7 +118,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-230012' - files_to_sign: '**\*.psd1;**\*.psm1','**\*.ps1xml','**\Microsoft*.dll' + files_to_sign: '**\*.psd1;**\*.psm1';'**\*.ps1xml';'**\Microsoft*.dll' search_root: $(signSrcPath) - task: onebranch.pipeline.signing@1 @@ -126,7 +126,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-231522' - files_to_sign: '**/Pluralize*.dll', '**/Newtonsoft*.dll' + files_to_sign: '**/Pluralize*.dll';'**/Newtonsoft*.dll' search_root: $(signSrcPath) # - template: EsrpSign.yml@ComplianceRepo From 19bca77a84869cb8074f0093e01ea4b1682eb218 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 11:12:24 -0700 Subject: [PATCH 4/8] Fix typo 2 --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 2fb5b1a85..bf579dbd8 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -118,7 +118,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-230012' - files_to_sign: '**\*.psd1;**\*.psm1';'**\*.ps1xml';'**\Microsoft*.dll' + files_to_sign: '**\*.psd1';'**\*.psm1';'**\*.ps1xml';'**\Microsoft*.dll' search_root: $(signSrcPath) - task: onebranch.pipeline.signing@1 From 0a887a33ca65fe980fd488ae711b2f57fada520a Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 11:13:15 -0700 Subject: [PATCH 5/8] Fix typo 3 --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index bf579dbd8..14e863134 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -118,7 +118,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-230012' - files_to_sign: '**\*.psd1';'**\*.psm1';'**\*.ps1xml';'**\Microsoft*.dll' + files_to_sign: '**\*.psd1;**\*.psm1;**\*.ps1xml;**\Microsoft*.dll' search_root: $(signSrcPath) - task: onebranch.pipeline.signing@1 @@ -126,7 +126,7 @@ extends: inputs: command: 'sign' cp_code: 'CP-231522' - files_to_sign: '**/Pluralize*.dll';'**/Newtonsoft*.dll' + files_to_sign: '**/Pluralize*.dll;**/Newtonsoft*.dll' search_root: $(signSrcPath) # - template: EsrpSign.yml@ComplianceRepo From 3954ca5263a175d14709821127d6ca62550dc589 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 12:21:18 -0700 Subject: [PATCH 6/8] Update CR feedback --- .config/tsaoptions.json | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.config/tsaoptions.json b/.config/tsaoptions.json index 13fecf5f5..75070cbfd 100644 --- a/.config/tsaoptions.json +++ b/.config/tsaoptions.json @@ -1,15 +1,10 @@ { "instanceUrl": "https://msazure.visualstudio.com", "projectName": "One", - "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell", + "areaPath": "One\\MGMT\\Compute\\Powershell\\Powershell\\PowerShell Core", "notificationAliases": [ "jimtru@microsoft.com", "slee@microsoft.com" ], - "codebaseName": "PSSA_202403", - "tools": [ - "CredScan", - "PoliCheck", - "BinSkim" - ] + "codebaseName": "PSSA_202403" } From 2f56f2c26af6f0a20dc79e5da32e9f6daf9de416 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 12:31:43 -0700 Subject: [PATCH 7/8] Revert back to old signing --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 69 +++++++++------------- 1 file changed, 27 insertions(+), 42 deletions(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index 14e863134..c66dfa444 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -35,7 +35,7 @@ extends: enabled: false codeql: compiled: - enabled: false + enabled: true asyncSdl: # https://aka.ms/obpipelines/asyncsdl enabled: true forStages: [Build] @@ -68,21 +68,22 @@ extends: - checkout: ComplianceRepo - pwsh: | - if (-not (Test-Path $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json)) { + if (-not (Test-Path $(repoRoot)/.config/tsaoptions.json)) { Get-ChildItem $(Build.SourcesDirectory) -recurse -ErrorAction SilentlyContinue throw "tsaoptions.json does not exist under $(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config" } displayName: Test if tsaoptions.json exists - - pwsh: | - New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/.config -Force -Verbose - Copy-Item '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json' '$(Build.SourcesDirectory)/.config/tsaoptions.json' -Force -Verbose - displayName: Copy tsaoptions + #- pwsh: | + # New-Item -ItemType Directory -Path $(Build.SourcesDirectory)/.config -Force -Verbose + # Copy-Item '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/.config/tsaoptions.json' '$(Build.SourcesDirectory)/.config/tsaoptions.json' -Force -Verbose + # displayName: Copy tsaoptions - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build + - pwsh: | $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" # Set signing src path variable @@ -113,43 +114,27 @@ extends: Write-Host "##$vstsCommandString" displayName: Setup variables for signing - - task: onebranch.pipeline.signing@1 - displayName: 'Sign the build output' - inputs: - command: 'sign' - cp_code: 'CP-230012' - files_to_sign: '**\*.psd1;**\*.psm1;**\*.ps1xml;**\Microsoft*.dll' - search_root: $(signSrcPath) - - - task: onebranch.pipeline.signing@1 - displayName: 'Sign the build output' - inputs: - command: 'sign' - cp_code: 'CP-231522' - files_to_sign: '**/Pluralize*.dll;**/Newtonsoft*.dll' - search_root: $(signSrcPath) - - # - template: EsrpSign.yml@ComplianceRepo - # parameters: - # buildOutputPath: $(signSrcPath) - # signOutputPath: $(signOutStep1) - # certificateId: "CP-230012" - # useMinimatch: true - # pattern: | - # **\*.psd1 - # **\*.psm1 - # **\*.ps1xml - # **\Microsoft*.dll + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signSrcPath) + signOutputPath: $(signOutStep1) + certificateId: "CP-230012" + useMinimatch: true + pattern: | + **\*.psd1 + **\*.psm1 + **\*.ps1xml + **\Microsoft*.dll - # - template: EsrpSign.yml@ComplianceRepo - # parameters: - # buildOutputPath: $(signOutStep1) - # signOutputPath: $(signOutPath) - # certificateId: "CP-231522" - # useMinimatch: true - # pattern: | - # **/Pluralize*.dll - # **/Newtonsoft*.dll + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signOutStep1) + signOutputPath: $(signOutPath) + certificateId: "CP-231522" + useMinimatch: true + pattern: | + **/Pluralize*.dll + **/Newtonsoft*.dll - template: Sbom.yml@ComplianceRepo parameters: From c0f78195bf1c3532312f802c9d66449fbde5a2b0 Mon Sep 17 00:00:00 2001 From: Aditya Patwardhan Date: Tue, 12 Mar 2024 13:48:40 -0700 Subject: [PATCH 8/8] Fix source direcctory for credscan --- .pipelines/OSS_Microsoft_PSSA-Official.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pipelines/OSS_Microsoft_PSSA-Official.yml b/.pipelines/OSS_Microsoft_PSSA-Official.yml index c66dfa444..7500f4050 100644 --- a/.pipelines/OSS_Microsoft_PSSA-Official.yml +++ b/.pipelines/OSS_Microsoft_PSSA-Official.yml @@ -41,7 +41,7 @@ extends: forStages: [Build] credscan: enabled: true - scanFolder: $(Build.ArtifactStagingDirectory)\OSS_Microsoft_PSSA + scanFolder: $(Build.SourcesDirectory)\OSS_Microsoft_PSSA binskim: enabled: true apiscan: