Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ci] Migrate to the 1ES template #8

Merged
merged 14 commits into from
Feb 22, 2024
Merged

[ci] Migrate to the 1ES template #8

merged 14 commits into from
Feb 22, 2024

Conversation

pjcollins
Copy link
Member

@pjcollins pjcollins commented Feb 6, 2024

Context: https://aka.ms/1espt

The build pipeline has been updated to extend the 1ES pipeline template,
which will keep the pipeline up to date with the latest compliance and
security requirements.

Compliance tasks and scans will run automatically as part of artifact
upload steps, which are now referred to as "outputs". Template outputs
have replaced all instances of the PublishPipelineArtifact task.

The new compliance steps appear to have added ~4 hours to the
build in the worst-case scenario (from 1.5 hours to 5.5 hours). This
appears to mostly be a result of CodeQL.

@pjcollins
Copy link
Member Author

@grendello it looks like the latest scan here is unhappy with some of the llvm tools. Do we have any way of controlling some of these compiler flags as part of our build?

Tool: BinSkim: Rule: BA2007 (EnableCriticalCompilerWarnings). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2007EnableCriticalCompilerWarnings
'llc.exe' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation.
Modules triggering this check were:
llc.obj [Explicitly disabled warnings: 4146;4244;4267]

Tool: BinSkim: Rule: BA2008 (EnableControlFlowGuard). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard
'llc.exe' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.

Tool: BinSkim: Rule: BA2024 (EnableSpectreMitigations). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations
'llc.exe' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities.
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
llc.obj,cxx,19.37.32826.1 (llc.obj)

Tool: BinSkim: Rule: BA2025 (EnableShadowStack). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack
'llc.exe' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines.

Tool: BinSkim: Rule: BA2026 (EnableMicrosoftCompilerSdlSwitch). https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch
'llc.exe' is a Windows PE that wasn't compiled with recommended Security Development Lifecycle (SDL) checks. As a result some critical compile-time and runtime checks may be disabled, increasing the possibility of an exploitable runtime issue. To resolve this problem, pass '/sdl' on the cl.exe command-line, set the 'SDL checks' property in the 'C/C++ -> General' Configuration property page, or explicitly set the 'SDLCheck' property in the project file (nested within a 'CLCompile' element) to 'true'.

@pjcollins pjcollins marked this pull request as ready for review February 22, 2024 02:23
@pjcollins pjcollins changed the title [ci] Migrate to 1ES template [ci] Migrate to the 1ES template Feb 22, 2024
@grendello grendello merged commit a1c1139 into main Feb 22, 2024
14 checks passed
@grendello grendello deleted the dev/pjc/1estemp branch February 22, 2024 09:27
grendello added a commit to dotnet/android that referenced this pull request Mar 13, 2024
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.1
Changes: dotnet/android-native-tools@L_17.0.6-7.1.0...L_17.0.6-7.1.1

This release is identical to the previous one, version wise, with the
difference being a handful of new build and link flags, as required by
API Scan.

* [ci] Build and sign in a DevDiv pipeline by @pjcollins in dotnet/android-native-tools#7
* [ci] Migrate to the 1ES template by @pjcollins in dotnet/android-native-tools#8
* [ci] Improve binskim scan performance by @pjcollins in dotnet/android-native-tools#11
* [ci] Improve triggers and support test signing by @pjcollins in dotnet/android-native-tools#12
* [ci] Fix unsigned artifact uploading by @pjcollins in dotnet/android-native-tools#13
* [ci] Disable automatic GitHub action trigger by @pjcollins in dotnet/android-native-tools#16
* [ci] Build on performance build pools by @pjcollins in dotnet/android-native-tools#15
* Build `as.exe` on windows by @grendello in dotnet/android-native-tools#10
* [ci] Add API Scan job by @pjcollins in dotnet/android-native-tools#9
grendello added a commit to dotnet/android that referenced this pull request Apr 2, 2024
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.1
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.2
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.2.1
Changes: dotnet/android-native-tools@L_17.0.6-7.1.0...L_17.0.6-7.1.1
Changes: dotnet/android-native-tools@L_17.0.6-7.1.1...L_17.0.6-7.1.2
Changes: dotnet/android-native-tools@L_17.0.6-7.1.2...L_17.0.6-7.2.0
Changes: dotnet/android-native-tools@L_17.0.6-7.2.0...L_17.0.6-7.2.1

This release makes changes to how we build and run the `as.exe` wrapper, so that it can be
verified by API Scan without any issues.  Otherwise it is identical to the previous release, using
the same version of LLVM.

* [ci] Build and sign in a DevDiv pipeline by @pjcollins in dotnet/android-native-tools#7
* [ci] Migrate to the 1ES template by @pjcollins in dotnet/android-native-tools#8
* [ci] Improve binskim scan performance by @pjcollins in dotnet/android-native-tools#11
* [ci] Improve triggers and support test signing by @pjcollins in dotnet/android-native-tools#12
* [ci] Fix unsigned artifact uploading by @pjcollins in dotnet/android-native-tools#13
* [ci] Disable automatic GitHub action trigger by @pjcollins in dotnet/android-native-tools#16
* [ci] Build on performance build pools by @pjcollins in dotnet/android-native-tools#15
* Build `as.exe` on windows by @grendello in dotnet/android-native-tools#10
* [ci] Add API Scan job by @pjcollins in dotnet/android-native-tools#9
*  Fix `as.exe` crash on Windows by @grendello in dotnet/android-native-tools#20
* [ci] Use managed identity for API Scan by @pjcollins in dotnet/android-native-tools#21
* Back to wide strings on Windows + magic encantations by @grendello in dotnet/android-native-tools#22
grendello added a commit to dotnet/android that referenced this pull request Apr 11, 2024
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.1
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.2
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.2.1
Changes: dotnet/android-native-tools@L_17.0.6-7.1.0...L_17.0.6-7.1.1
Changes: dotnet/android-native-tools@L_17.0.6-7.1.1...L_17.0.6-7.1.2
Changes: dotnet/android-native-tools@L_17.0.6-7.1.2...L_17.0.6-7.2.0
Changes: dotnet/android-native-tools@L_17.0.6-7.2.0...L_17.0.6-7.2.1

This release makes changes to how we build and run the `as.exe` wrapper, so that it can be
verified by API Scan without any issues.  Otherwise it is identical to the previous release, using
the same version of LLVM.

* [ci] Build and sign in a DevDiv pipeline by @pjcollins in dotnet/android-native-tools#7
* [ci] Migrate to the 1ES template by @pjcollins in dotnet/android-native-tools#8
* [ci] Improve binskim scan performance by @pjcollins in dotnet/android-native-tools#11
* [ci] Improve triggers and support test signing by @pjcollins in dotnet/android-native-tools#12
* [ci] Fix unsigned artifact uploading by @pjcollins in dotnet/android-native-tools#13
* [ci] Disable automatic GitHub action trigger by @pjcollins in dotnet/android-native-tools#16
* [ci] Build on performance build pools by @pjcollins in dotnet/android-native-tools#15
* Build `as.exe` on windows by @grendello in dotnet/android-native-tools#10
* [ci] Add API Scan job by @pjcollins in dotnet/android-native-tools#9
*  Fix `as.exe` crash on Windows by @grendello in dotnet/android-native-tools#20
* [ci] Use managed identity for API Scan by @pjcollins in dotnet/android-native-tools#21
* Back to wide strings on Windows + magic encantations by @grendello in dotnet/android-native-tools#22
jonathanpeppers pushed a commit to dotnet/android that referenced this pull request May 8, 2024
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.1
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.1.2
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.2.1
Context: https://github.com/xamarin/xamarin-android-binutils/releases/tag/L_17.0.6-7.2.2
Changes: dotnet/android-native-tools@L_17.0.6-7.1.0...L_17.0.6-7.1.1
Changes: dotnet/android-native-tools@L_17.0.6-7.1.1...L_17.0.6-7.1.2
Changes: dotnet/android-native-tools@L_17.0.6-7.1.2...L_17.0.6-7.2.0
Changes: dotnet/android-native-tools@L_17.0.6-7.2.0...L_17.0.6-7.2.1
Changes: dotnet/android-native-tools@L_17.0.6-7.2.1...L_17.0.6-7.2.2

This release makes changes to how we build and run the `as.exe` wrapper, so that it can be verified by API Scan without any issues.  Otherwise it is identical to the previous release, using the same version of LLVM.

* [ci] Build and sign in a DevDiv pipeline by @pjcollins in dotnet/android-native-tools#7
* [ci] Migrate to the 1ES template by @pjcollins in dotnet/android-native-tools#8
* [ci] Improve binskim scan performance by @pjcollins in dotnet/android-native-tools#11
* [ci] Improve triggers and support test signing by @pjcollins in dotnet/android-native-tools#12
* [ci] Fix unsigned artifact uploading by @pjcollins in dotnet/android-native-tools#13
* [ci] Disable automatic GitHub action trigger by @pjcollins in dotnet/android-native-tools#16
* [ci] Build on performance build pools by @pjcollins in dotnet/android-native-tools#15
* Build `as.exe` on windows by @grendello in dotnet/android-native-tools#10
* [ci] Add API Scan job by @pjcollins in dotnet/android-native-tools#9
*  Fix `as.exe` crash on Windows by @grendello in dotnet/android-native-tools#20
* [ci] Use managed identity for API Scan by @pjcollins in dotnet/android-native-tools#21
* Back to wide strings on Windows + magic encantations by @grendello in dotnet/android-native-tools#22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants