Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move from CFG to XFG when XFG works and is mandatory #11948

Closed
miniksa opened this issue Dec 15, 2021 · 1 comment
Closed

Move from CFG to XFG when XFG works and is mandatory #11948

miniksa opened this issue Dec 15, 2021 · 1 comment
Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta Issue-Task It's a feature request, but it doesn't really need a major design. Needs-Tag-Fix Doesn't match tag requirements Product-Meta The product is the management of the products.
Milestone
Engineering Impro...

Comments

@miniksa
Copy link
Member

miniksa commented Dec 15, 2021

  • We do CFG now. Policy says CFG is being transitioned to XFG.
  • XFG checkers don't work right yet. Mail thread is out.
  • Peer teams not using XFG yet. So it must not be that mandatory.
@miniksa miniksa added Area-Build Issues pertaining to the build system, CI, infrastructure, meta Product-Meta The product is the management of the products. Issue-Task It's a feature request, but it doesn't really need a major design. labels Dec 15, 2021
@miniksa miniksa added this to the Engineering Improvements 2021 milestone Dec 15, 2021
@miniksa miniksa self-assigned this Dec 15, 2021
@ghost ghost added the Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting label Dec 15, 2021
@miniksa miniksa mentioned this issue Dec 15, 2021
Merged
4 tasks
@zadjii-msft zadjii-msft removed the Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting label Jan 3, 2022
ghost pushed a commit that referenced this issue Jan 5, 2022
@miniksa
Enable Security and Compliance tasks in our Release pipeline (#11849)
805ac4c 
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:
- Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build
- PREfast - C/C++ static analysis for common code errors and exploits
- Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically
- Credscan - Looks for credentials left behind in the code/documents and build output files
- BinSkim - Searches for common vulnerabilities in binaries
- CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image
- CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks.

We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.

## References
- #11948 - Move from CFG to XFG once XFG task folks get back to me on it
- #11949 - Enable bug filing for SecComp tasks
- #11950 - Bulk process bugs filed by SecComp tasks
- #11947 - Validate SBOM when checkers come online

## Checklist
- [x] - Fixes #10735
- [x] - Fixes #908
- [x] - I work here
- [x] - If it fits, it sits.
miniksa added a commit that referenced this issue Jan 10, 2022
@miniksa
Enable Security and Compliance tasks in our Release pipeline (#11849)
789d22e 
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:
- Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build
- PREfast - C/C++ static analysis for common code errors and exploits
- Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically
- Credscan - Looks for credentials left behind in the code/documents and build output files
- BinSkim - Searches for common vulnerabilities in binaries
- CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image
- CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks.

We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.

- #11948 - Move from CFG to XFG once XFG task folks get back to me on it
- #11949 - Enable bug filing for SecComp tasks
- #11950 - Bulk process bugs filed by SecComp tasks
- #11947 - Validate SBOM when checkers come online

- [x] - Fixes #10735
- [x] - Fixes #908
- [x] - I work here
- [x] - If it fits, it sits.
@miniksa miniksa removed their assignment Mar 31, 2022
@DHowett DHowett closed this as completed Mar 5, 2024
@microsoft-github-policy-service microsoft-github-policy-service bot added the Needs-Tag-Fix Doesn't match tag requirements label Mar 5, 2024
@DHowett
Copy link
Member

DHowett commented Mar 5, 2024

Tidying up

@DHowett DHowett closed this as not planned Won't fix, can't repro, duplicate, stale Mar 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta Issue-Task It's a feature request, but it doesn't really need a major design. Needs-Tag-Fix Doesn't match tag requirements Product-Meta The product is the management of the products.
Projects
None yet
Milestone
Engineering Improvements
Development

No branches or pull requests
3 participants
@DHowett @miniksa @zadjii-msft