Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Security and Compliance tasks in our Release pipeline #11849

Merged
85 commits merged into from
Jan 5, 2022
Merged

Enable Security and Compliance tasks in our Release pipeline #11849

85 commits merged into from
Jan 5, 2022

Conversation

miniksa
Copy link
Member

@miniksa miniksa commented Nov 30, 2021
edited
Loading

Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:

  • Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build
  • PREfast - C/C++ static analysis for common code errors and exploits
  • Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically
  • Credscan - Looks for credentials left behind in the code/documents and build output files
  • BinSkim - Searches for common vulnerabilities in binaries
  • CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image
  • CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks.

We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.

References

Checklist

@miniksa
Add compliance task to pipeline
1977f6b
@miniksa
attempt machine version test and change to artifact feed connection
a151fed
@miniksa
bippity boppity boo
d9ffba3
@miniksa
goof less
6a63f3c
@miniksa
undo temporary testing stuff
8b38ccc
@miniksa
re-sprinkle helix access tokens
75e5c95
@miniksa
conditionally append access token
b9dc74e
@miniksa
use correct method name
ebe8075
@miniksa
attempt to break out compliance tasks onto 2019 image and temporarily…
ffc5dc3 
… use recycled artifacts to speed this up
@miniksa
add checkout bit and nerf dependency
1dc142b
@miniksa
wrong indent because yaml
75c69fd
@miniksa
apparently pkgesseccomp not updated to 12 for 1es
8fa0dd1
@miniksa
wrong destination folder for copy pasta
68c52c2
@miniksa
try a different place for archives?
40f77ff
@miniksa
make testing this slightly easier temporarily
ed7ccac
@miniksa
try to show output
61eea11
@miniksa
try to show output
96a7f25
@miniksa
try to show output
865a0d7
@miniksa
more unzip fun
2e3c8ac
@miniksa
messin' about
446f4b5
@miniksa
vmimage
b237283
@miniksa
add pkges setup task to compliance pipe
5c4c708
@miniksa
update match patterns
77eab3c
@miniksa
separate extract into two steps I guess
a4d6ad8
@miniksa
throw more things at the wall
f7b1e96
@miniksa
remove line
4f697bd
@miniksa
let's see how this blends
826f8c0
@miniksa
fiddle about
a9a3789
@miniksa
ran out of heap space on compile with x86. fortunately v3 of the task…
aa12f45 
… (which I was supposed to move to anyway) uses x64 by default.
@miniksa
apparently npm is required by v3. go back to v2 and force x64 to pass…
c9ded19 
… the heap thing.
@github-actions

This comment has been minimized.

Sign in to view
@miniksa miniksa changed the title [DRAFT] compliance Enable Security and Compliance tasks in our Release pipeline Dec 15, 2021
@github-actions

This comment has been minimized.

Sign in to view
@ghost ghost added Area-Build Issues pertaining to the build system, CI, infrastructure, meta Issue-Task It's a feature request, but it doesn't really need a major design. Product-Meta The product is the management of the products. labels Dec 15, 2021
miniksa
miniksa commented Dec 15, 2021
View reviewed changes
src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp
Comment on lines +222 to +233
template<typename T>
static bool isProfilesDefaultsOrigin(const T& profile)
{
return profile && profile.Origin() != winrt::Microsoft::Terminal::Settings::Model::OriginTag::ProfilesDefaults;
}

template<typename T>
static bool isProfilesDefaultsOriginSub(const T& sub)
{
return sub && isProfilesDefaultsOrigin(sub.SourceProfile());
}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change was because of an internal compiler error. I have a thread out to the team to hopefully debug and fix the compiler. It couldn't handle the other form.

miniksa
miniksa commented Dec 15, 2021
View reviewed changes
src/common.build.pre.props
@@ -168,6 +168,7 @@
<IntrinsicFunctions>true</IntrinsicFunctions>
<PreprocessorDefinitions>NDEBUG;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<RuntimeTypeInfo>false</RuntimeTypeInfo>
<AdditionalOptions>%(AdditionalOptions)</AdditionalOptions>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please ignore this. It will make it easier for me to move to XFG later as more flags go here.

miniksa
miniksa commented Dec 15, 2021
View reviewed changes
build/pipelines/release.yml
cancelTimeoutInMinutes: 1
steps:
- checkout: self
clean: true
fetchDepth: 1
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PGO can't resolve from peer branches with depth 1 here, so I'll allow it for release builds.

@miniksa miniksa marked this pull request as ready for review December 15, 2021 21:10
carlos-zamora
carlos-zamora reviewed Dec 15, 2021
View reviewed changes
build/config/PolicheckExclusions.xml Show resolved Hide resolved
build/pipelines/release.yml Outdated Show resolved Hide resolved
build/pipelines/release.yml Outdated Show resolved Hide resolved
build/pipelines/release.yml Show resolved Hide resolved
zadjii-msft
zadjii-msft approved these changes Jan 3, 2022
View reviewed changes
Copy link
Member

@zadjii-msft zadjii-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yea I'm fine with this. Dustin wanted it moved to another file (stages.yml or something), but like, good enough for me.

build/pipelines/release.yml Outdated
teamId: 7105
authId: $(TouchdownAppId)
authKey: $(TouchdownAppKey)
resourceFilePath: >-
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't love that we've got these Resources.resw paths in here all hardcoded, kinda just begging for us to forget to update this list in the future, but ¯\_(ツ)_/¯

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's how they were... We can maybe improve that later.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep. I learned afterwards that we can wildcard them!

Honestly doing compliance probably doesn't need loc resources.. but np

@miniksa
Copy link
Member Author

miniksa commented Jan 3, 2022

From the meeting, @DHowett wants me to pull the compliance one into a template of steps and then link it here.

@miniksa
Copy link
Member Author

miniksa commented Jan 3, 2022

/azp run

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@miniksa miniksa added the AutoMerge Marked for automatic merge by the bot when requirements are met label Jan 5, 2022
@ghost
Copy link

ghost commented Jan 5, 2022

Hello @miniksa!

Because this pull request has the AutoMerge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@ghost ghost merged commit 805ac4c into main Jan 5, 2022
@ghost ghost deleted the dev/miniksa/compliance branch January 5, 2022 18:45
miniksa added a commit that referenced this pull request Jan 10, 2022
@miniksa
Enable Security and Compliance tasks in our Release pipeline (#11849)
789d22e 
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:
- Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build
- PREfast - C/C++ static analysis for common code errors and exploits
- Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically
- Credscan - Looks for credentials left behind in the code/documents and build output files
- BinSkim - Searches for common vulnerabilities in binaries
- CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image
- CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks.

We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.

- #11948 - Move from CFG to XFG once XFG task folks get back to me on it
- #11949 - Enable bug filing for SecComp tasks
- #11950 - Bulk process bugs filed by SecComp tasks
- #11947 - Validate SBOM when checkers come online

- [x] - Fixes #10735
- [x] - Fixes #908
- [x] - I work here
- [x] - If it fits, it sits.
@ghost
Copy link

ghost commented Feb 3, 2022

🎉Windows Terminal Preview v1.13.10336.0 has been released which incorporates this pull request.:tada:

Handy links:

This was referenced Feb 3, 2022
Closed
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DHowett DHowett DHowett left review comments

@carlos-zamora carlos-zamora carlos-zamora approved these changes

@zadjii-msft zadjii-msft zadjii-msft approved these changes

Assignees
No one assigned
Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta AutoMerge Marked for automatic merge by the bot when requirements are met Issue-Task It's a feature request, but it doesn't really need a major design. Product-Meta The product is the management of the products.
Projects
None yet
Milestone
Engineering Improvements 2021
4 participants
@miniksa @DHowett @carlos-zamora @zadjii-msft