From 1977f6bdf90863927e02d7aeddebf8a5c20619ef Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 10:34:46 -0700 Subject: [PATCH 01/82] Add compliance task to pipeline --- build/pipelines/release.yml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 3c922be0293..e7ad36e6df1 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -264,6 +264,39 @@ jobs: SearchPattern: '**/*.pdb' IndexSources: false SymbolServerType: TeamServices + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” + displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' + - task: PkgESSecComp@10 + displayName: 'Security and Compliance tasks' + inputs: + fileNewBugs: false + areaPath: 'OS\WDX\DXP\WinDev\Terminal' + teamProject: 'OS' + iterationPath: 'OS\Future' + bugTags: 'TerminalReleaseCompliance' + scanAll: true + errOnBugs: false + failOnStdErr: true + taskLogVerbosity: Diagnostic + secCompConfigFromTask: | + # Overrides default build sources directory + sourceTargetOverrideAll: d:\ba\s\ + # Overrides default build binaries directory when "Scan all" option is specified + binariesTargetOverrideAll: d:\ba\b\ + + # Set the tools to false if they should not run in the build + tools: + - toolName: CheckCFlags + enable: true + - toolName: CFGCheck + enable: true + - toolName: Policheck + enable: false + - toolName: CredScan + enable: false + - toolName: XFGCheck + enable: false - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign From a151fed43fee04e0c3219e154dc658bc9e7a1f18 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 12:36:57 -0700 Subject: [PATCH 02/82] attempt machine version test and change to artifact feed connection --- build/pipelines/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index e7ad36e6df1..09e17247eb1 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -4,7 +4,9 @@ pr: none pool: name: WinDevPool-L - demands: ImageOverride -equals WinDevVS16-latest + demands: + - ImageOverride -equals WinDevVS16-latest + - ImageVersionOverride -equals 2.0.0 parameters: - name: branding From d9ffba3a50e6d0284379252f02a4b6939c5868fe Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 15:21:51 -0700 Subject: [PATCH 03/82] bippity boppity boo --- build/pipelines/pgo.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/build/pipelines/pgo.yml b/build/pipelines/pgo.yml index 1c93a56d8cd..0880cd3cc3c 100644 --- a/build/pipelines/pgo.yml +++ b/build/pipelines/pgo.yml @@ -10,14 +10,14 @@ variables: name: 0.0.$(Date:yyMM).$(Date:dd)$(Rev:rr) stages: - - stage: Build_x64 - displayName: Build x64 - dependsOn: [] - condition: succeeded() - jobs: - - template: ./templates/build-console-pgo.yml - parameters: - platform: x64 + # - stage: Build_x64 + # displayName: Build x64 + # dependsOn: [] + # condition: succeeded() + # jobs: + # - template: ./templates/build-console-pgo.yml + # parameters: + # platform: x64 - stage: Publish_PGO_Databases displayName: Publish PGO databases dependsOn: ['Build_x64'] From 6a63f3c28b3f9dc14c1102f4ceaa5985215516fe Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 15:22:50 -0700 Subject: [PATCH 04/82] goof less --- build/pipelines/pgo.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/pgo.yml b/build/pipelines/pgo.yml index 0880cd3cc3c..44e26cdec90 100644 --- a/build/pipelines/pgo.yml +++ b/build/pipelines/pgo.yml @@ -20,7 +20,7 @@ stages: # platform: x64 - stage: Publish_PGO_Databases displayName: Publish PGO databases - dependsOn: ['Build_x64'] + # dependsOn: ['Build_x64'] jobs: - template: ./templates/pgo-build-and-publish-nuget-job.yml parameters: From 8b38ccc8ca0885ac4b7eccaad523ac583523d512 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 15:40:05 -0700 Subject: [PATCH 05/82] undo temporary testing stuff --- build/pipelines/pgo.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/build/pipelines/pgo.yml b/build/pipelines/pgo.yml index 44e26cdec90..1c93a56d8cd 100644 --- a/build/pipelines/pgo.yml +++ b/build/pipelines/pgo.yml @@ -10,17 +10,17 @@ variables: name: 0.0.$(Date:yyMM).$(Date:dd)$(Rev:rr) stages: - # - stage: Build_x64 - # displayName: Build x64 - # dependsOn: [] - # condition: succeeded() - # jobs: - # - template: ./templates/build-console-pgo.yml - # parameters: - # platform: x64 + - stage: Build_x64 + displayName: Build x64 + dependsOn: [] + condition: succeeded() + jobs: + - template: ./templates/build-console-pgo.yml + parameters: + platform: x64 - stage: Publish_PGO_Databases displayName: Publish PGO databases - # dependsOn: ['Build_x64'] + dependsOn: ['Build_x64'] jobs: - template: ./templates/pgo-build-and-publish-nuget-job.yml parameters: From 75e5c9504f3b94bf57f94cdf11b6d1c10297cb0b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 16:18:15 -0700 Subject: [PATCH 06/82] re-sprinkle helix access tokens --- build/Helix/ProcessHelixFiles.ps1 | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/build/Helix/ProcessHelixFiles.ps1 b/build/Helix/ProcessHelixFiles.ps1 index dcd3608a5d4..7d1051f7a57 100644 --- a/build/Helix/ProcessHelixFiles.ps1 +++ b/build/Helix/ProcessHelixFiles.ps1 @@ -81,8 +81,12 @@ foreach ($testRun in $testRuns.value) if (-not $workItems.Contains($workItem)) { $workItems.Add($workItem) +<<<<<<< HEAD $filesQueryUri = "https://helix.dot.net/api/2019-06-17/jobs/$helixJobId/workitems/$helixWorkItemName/files" $filesQueryUri = Append-HelixAccessTokenToUrl $filesQueryUri $helixAccessToken +======= + $filesQueryUri = "https://helix.dot.net/api/2019-06-17/jobs/$helixJobId/workitems/$helixWorkItemName/files?access_token=$HelixAccessToken" +>>>>>>> cdc0e240f (re-sprinkle helix access tokens) $files = Invoke-RestMethodWithRetries $filesQueryUri $screenShots = $files | where { $_.Name.EndsWith(".jpg") } @@ -121,7 +125,11 @@ foreach ($testRun in $testRuns.value) Write-Host "Downloading $link to $destination" +<<<<<<< HEAD $link = Append-HelixAccessTokenToUrl $link $HelixAccessToken +======= + $link = Append-HelixAccessToken $link $HelixAccessToken +>>>>>>> cdc0e240f (re-sprinkle helix access tokens) Download-FileWithRetries $link $destination } } From b9dc74e3e572df33336eef4ddcd27a071a8dc69d Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 4 Aug 2021 16:27:10 -0700 Subject: [PATCH 07/82] conditionally append access token --- build/Helix/ProcessHelixFiles.ps1 | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/build/Helix/ProcessHelixFiles.ps1 b/build/Helix/ProcessHelixFiles.ps1 index 7d1051f7a57..b533aa291b4 100644 --- a/build/Helix/ProcessHelixFiles.ps1 +++ b/build/Helix/ProcessHelixFiles.ps1 @@ -81,12 +81,10 @@ foreach ($testRun in $testRuns.value) if (-not $workItems.Contains($workItem)) { $workItems.Add($workItem) -<<<<<<< HEAD + $filesQueryUri = "https://helix.dot.net/api/2019-06-17/jobs/$helixJobId/workitems/$helixWorkItemName/files" $filesQueryUri = Append-HelixAccessTokenToUrl $filesQueryUri $helixAccessToken -======= - $filesQueryUri = "https://helix.dot.net/api/2019-06-17/jobs/$helixJobId/workitems/$helixWorkItemName/files?access_token=$HelixAccessToken" ->>>>>>> cdc0e240f (re-sprinkle helix access tokens) + $files = Invoke-RestMethodWithRetries $filesQueryUri $screenShots = $files | where { $_.Name.EndsWith(".jpg") } @@ -125,11 +123,8 @@ foreach ($testRun in $testRuns.value) Write-Host "Downloading $link to $destination" -<<<<<<< HEAD $link = Append-HelixAccessTokenToUrl $link $HelixAccessToken -======= - $link = Append-HelixAccessToken $link $HelixAccessToken ->>>>>>> cdc0e240f (re-sprinkle helix access tokens) + Download-FileWithRetries $link $destination } } From ebe8075c13fda96993df7c56af16990cb697fd8f Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 09:41:06 -0700 Subject: [PATCH 08/82] use correct method name --- build/Helix/ProcessHelixFiles.ps1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/build/Helix/ProcessHelixFiles.ps1 b/build/Helix/ProcessHelixFiles.ps1 index b533aa291b4..3c4349d2e67 100644 --- a/build/Helix/ProcessHelixFiles.ps1 +++ b/build/Helix/ProcessHelixFiles.ps1 @@ -84,7 +84,6 @@ foreach ($testRun in $testRuns.value) $filesQueryUri = "https://helix.dot.net/api/2019-06-17/jobs/$helixJobId/workitems/$helixWorkItemName/files" $filesQueryUri = Append-HelixAccessTokenToUrl $filesQueryUri $helixAccessToken - $files = Invoke-RestMethodWithRetries $filesQueryUri $screenShots = $files | where { $_.Name.EndsWith(".jpg") } @@ -124,7 +123,6 @@ foreach ($testRun in $testRuns.value) Write-Host "Downloading $link to $destination" $link = Append-HelixAccessTokenToUrl $link $HelixAccessToken - Download-FileWithRetries $link $destination } } From ffc5dc36a58f787e228c015ece85729eb56005f4 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:20:24 -0700 Subject: [PATCH 09/82] attempt to break out compliance tasks onto 2019 image and temporarily use recycled artifacts to speed this up --- build/pipelines/release.yml | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 09e17247eb1..071a7ef91ea 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -68,6 +68,7 @@ jobs: BuildPlatform: ${{ platform }} displayName: Build cancelTimeoutInMinutes: 1 + condition: false steps: - checkout: self clean: true @@ -266,10 +267,40 @@ jobs: SearchPattern: '**/*.pdb' IndexSources: false SymbolServerType: TeamServices - # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + +- job: ComplianceTasks + displayName: Validate security and compliance + pool: + vmImage: 'windows-2019' + dependsOn: Build + - task: DownloadBuildArtifacts@0 + displayName: Download Build Artifacts + inputs: + artifactName: appx-x64-Release + downloadPath: $(artifactsPath) + buildType: 'specific' + project: $(System.TeamProjectId) + pipeline: 70913 + buildVersionToDownload: 'specific' + buildId: 37520569 + - task: PowerShell@2 + displayName: Rename and packages to unzip + inputs: + targetType: inline + script: >- + # Rename to known/fixed name + Get-ChildItem CascadiaPackage*.msix | Rename-Item -NewName { $_.name -replace '.msix','.zip' } + workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '**/*.zip' + cleanDestinationFolder: true + overwriteExistingFiles: true + destinationFolder: $(Build.BinariesDirectory) + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - - task: PkgESSecComp@10 + - task: PkgESSecComp@12 displayName: 'Security and Compliance tasks' inputs: fileNewBugs: false From 1dc142b3b0a6846ef676b8d703f993963e9eca2b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:28:02 -0700 Subject: [PATCH 10/82] add checkout bit and nerf dependency --- build/pipelines/release.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 071a7ef91ea..6bed2a74be9 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -272,7 +272,13 @@ jobs: displayName: Validate security and compliance pool: vmImage: 'windows-2019' - dependsOn: Build + #dependsOn: Build + steps: + - checkout: self + fetchDepth: 1 + clean: true + submodules: true + persistCredentials: True - task: DownloadBuildArtifacts@0 displayName: Download Build Artifacts inputs: From 75c69fd226b641dace69f016d759e2d712f9e9cd Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:28:41 -0700 Subject: [PATCH 11/82] wrong indent because yaml --- build/pipelines/release.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 6bed2a74be9..486556051b0 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -280,15 +280,15 @@ jobs: submodules: true persistCredentials: True - task: DownloadBuildArtifacts@0 - displayName: Download Build Artifacts - inputs: - artifactName: appx-x64-Release - downloadPath: $(artifactsPath) - buildType: 'specific' - project: $(System.TeamProjectId) - pipeline: 70913 - buildVersionToDownload: 'specific' - buildId: 37520569 + displayName: Download Build Artifacts + inputs: + artifactName: appx-x64-Release + downloadPath: $(artifactsPath) + buildType: 'specific' + project: $(System.TeamProjectId) + pipeline: 70913 + buildVersionToDownload: 'specific' + buildId: 37520569 - task: PowerShell@2 displayName: Rename and packages to unzip inputs: From 8fa0dd1c6af9251b7f179a0973ba578ec51cf69a Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:29:47 -0700 Subject: [PATCH 12/82] apparently pkgesseccomp not updated to 12 for 1es --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 486556051b0..944995b33a7 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -306,7 +306,7 @@ jobs: # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - - task: PkgESSecComp@12 + - task: PkgESSecComp@10 displayName: 'Security and Compliance tasks' inputs: fileNewBugs: false From 68c52c2da9ebeed5692c02f97edc568815aeda2b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:32:33 -0700 Subject: [PATCH 13/82] wrong destination folder for copy pasta --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 944995b33a7..27693625f8a 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -283,7 +283,7 @@ jobs: displayName: Download Build Artifacts inputs: artifactName: appx-x64-Release - downloadPath: $(artifactsPath) + downloadPath: $(System.ArtifactsDirectory) buildType: 'specific' project: $(System.TeamProjectId) pipeline: 70913 From 40f77ffd8fb22cdcd264b767c510e65969166baf Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:37:12 -0700 Subject: [PATCH 14/82] try a different place for archives? --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 27693625f8a..4df46732129 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -299,7 +299,7 @@ jobs: workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release - task: ExtractFiles@1 inputs: - archiveFilePatterns: '**/*.zip' + archiveFilePatterns: '$(System.ArtifactsDirectory)\appx-x64-Release\*.zip' cleanDestinationFolder: true overwriteExistingFiles: true destinationFolder: $(Build.BinariesDirectory) From ed7ccac92a0237d96ef5aa2ce269a690a979f2eb Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:38:50 -0700 Subject: [PATCH 15/82] make testing this slightly easier temporarily --- build/pipelines/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 4df46732129..fb978c19506 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -19,7 +19,7 @@ parameters: - name: buildTerminal displayName: "Build Windows Terminal MSIX" type: boolean - default: true + default: false - name: buildTerminalVPack displayName: "Build Windows Terminal VPack" type: boolean @@ -31,7 +31,7 @@ parameters: - name: pgoBuildMode displayName: "PGO Build Mode" type: string - default: Optimize + default: None values: - Optimize - Instrument @@ -45,8 +45,8 @@ parameters: type: object default: - x64 - - x86 - - arm64 + # - x86 + # - arm64 variables: TerminalInternalPackageVersion: "0.0.7" From 61eea113b21a5c0fbd9a4ef4b6af0b20ae3056b5 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:42:43 -0700 Subject: [PATCH 16/82] try to show output --- build/pipelines/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index fb978c19506..5cd97e0dfe5 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -296,6 +296,7 @@ jobs: script: >- # Rename to known/fixed name Get-ChildItem CascadiaPackage*.msix | Rename-Item -NewName { $_.name -replace '.msix','.zip' } + Get-ChildItem -Recurse workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release - task: ExtractFiles@1 inputs: From 96a7f2575f9d63aeeacc475be5a7e7b6122bb94c Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:44:17 -0700 Subject: [PATCH 17/82] try to show output --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 5cd97e0dfe5..2a790fb17b8 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -296,7 +296,7 @@ jobs: script: >- # Rename to known/fixed name Get-ChildItem CascadiaPackage*.msix | Rename-Item -NewName { $_.name -replace '.msix','.zip' } - Get-ChildItem -Recurse + Get-ChildItem -Recurse $(System.ArtifactsDirectory) workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release - task: ExtractFiles@1 inputs: From 865a0d71445675a70a456ad993678ddc587ff98b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:48:40 -0700 Subject: [PATCH 18/82] try to show output --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 2a790fb17b8..a7561d63b7e 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -296,7 +296,7 @@ jobs: script: >- # Rename to known/fixed name Get-ChildItem CascadiaPackage*.msix | Rename-Item -NewName { $_.name -replace '.msix','.zip' } - Get-ChildItem -Recurse $(System.ArtifactsDirectory) + Get-ChildItem -Recurse $(System.ArtifactsDirectory) | Write-Host workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release - task: ExtractFiles@1 inputs: From 2e3c8ac5cd2d1ac11aa7478a0cb3f2ccc80d0844 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:49:12 -0700 Subject: [PATCH 19/82] more unzip fun --- build/pipelines/release.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index a7561d63b7e..671aefd5568 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -300,7 +300,13 @@ jobs: workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release - task: ExtractFiles@1 inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\appx-x64-Release\*.zip' + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\*.zip' + cleanDestinationFolder: true + overwriteExistingFiles: true + destinationFolder: $(Build.BinariesDirectory) + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\*.msix' cleanDestinationFolder: true overwriteExistingFiles: true destinationFolder: $(Build.BinariesDirectory) From 446f4b5a89ada7aa4752328941426f68e3f0247b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:55:25 -0700 Subject: [PATCH 20/82] messin' about --- build/pipelines/release.yml | 27 ++++++++------------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 671aefd5568..70c02b5c4e9 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -270,8 +270,12 @@ jobs: - job: ComplianceTasks displayName: Validate security and compliance - pool: - vmImage: 'windows-2019' + # pool: + # vmImage: 'windows-2019' + pool: + name: WinDevPool-L + demands: + - ImageOverride -equals MMS2019 #dependsOn: Build steps: - checkout: self @@ -289,21 +293,6 @@ jobs: pipeline: 70913 buildVersionToDownload: 'specific' buildId: 37520569 - - task: PowerShell@2 - displayName: Rename and packages to unzip - inputs: - targetType: inline - script: >- - # Rename to known/fixed name - Get-ChildItem CascadiaPackage*.msix | Rename-Item -NewName { $_.name -replace '.msix','.zip' } - Get-ChildItem -Recurse $(System.ArtifactsDirectory) | Write-Host - workingDirectory: $(System.ArtifactsDirectory)\appx-x64-Release - - task: ExtractFiles@1 - inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\*.zip' - cleanDestinationFolder: true - overwriteExistingFiles: true - destinationFolder: $(Build.BinariesDirectory) - task: ExtractFiles@1 inputs: archiveFilePatterns: '$(System.ArtifactsDirectory)\**\*.msix' @@ -327,9 +316,9 @@ jobs: taskLogVerbosity: Diagnostic secCompConfigFromTask: | # Overrides default build sources directory - sourceTargetOverrideAll: d:\ba\s\ + sourceTargetOverrideAll: $(Build.SourcesDirectory) # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: d:\ba\b\ + binariesTargetOverrideAll: $(Build.BinariesDirectory) # Set the tools to false if they should not run in the build tools: From b237283d356d9d4d5e245d7695240f18217cfe45 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 5 Aug 2021 14:56:28 -0700 Subject: [PATCH 21/82] vmimage --- build/pipelines/release.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 70c02b5c4e9..61f25f6f1ee 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -270,12 +270,8 @@ jobs: - job: ComplianceTasks displayName: Validate security and compliance - # pool: - # vmImage: 'windows-2019' - pool: - name: WinDevPool-L - demands: - - ImageOverride -equals MMS2019 + pool: + vmImage: 'windows-2019' #dependsOn: Build steps: - checkout: self From 5c4c7082b2ddd5a6d8e2dffc6ef7eef4cc839df9 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 10 Aug 2021 09:29:40 -0700 Subject: [PATCH 22/82] add pkges setup task to compliance pipe --- build/pipelines/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 61f25f6f1ee..cca6eae13e2 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -279,6 +279,8 @@ jobs: clean: true submodules: true persistCredentials: True + - task: PkgESSetupBuild@12 + displayName: 'Package ES - Setup Build' - task: DownloadBuildArtifacts@0 displayName: Download Build Artifacts inputs: From 77eab3c3f4f3e755c12bcd2b6ddf661d7cd9340f Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 10 Aug 2021 10:49:59 -0700 Subject: [PATCH 23/82] update match patterns --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index cca6eae13e2..06a2a69fec3 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -293,7 +293,7 @@ jobs: buildId: 37520569 - task: ExtractFiles@1 inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\*.msix' + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix;$(System.ArtifactsDirectory)\**\CascadiaPackage*.appxsym' cleanDestinationFolder: true overwriteExistingFiles: true destinationFolder: $(Build.BinariesDirectory) From a4d6ad8722b86a2f7df39ff3d2bde98cdf2b199e Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 10 Aug 2021 11:31:22 -0700 Subject: [PATCH 24/82] separate extract into two steps I guess --- build/pipelines/release.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 06a2a69fec3..f461067e3fe 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -293,10 +293,16 @@ jobs: buildId: 37520569 - task: ExtractFiles@1 inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix;$(System.ArtifactsDirectory)\**\CascadiaPackage*.appxsym' + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix' cleanDestinationFolder: true overwriteExistingFiles: true destinationFolder: $(Build.BinariesDirectory) + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.appxsym' + cleanDestinationFolder: false + overwriteExistingFiles: true + destinationFolder: $(Build.BinariesDirectory) # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' From f7b1e96f9e6fa8fabba8f1ec6f9debff36b4400b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 10 Aug 2021 13:02:09 -0700 Subject: [PATCH 25/82] throw more things at the wall --- build/pipelines/release.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index f461067e3fe..3339daa93dc 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -281,6 +281,26 @@ jobs: persistCredentials: True - task: PkgESSetupBuild@12 displayName: 'Package ES - Setup Build' + + - task: NuGetAuthenticate@0 + + # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html + - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: Component Detection + + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 + displayName: 'Run the PREfast SDL Native Rules for MSBuild' + condition: succeededOrFailed() + + # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + - task: CopyFiles@1 + displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + inputs: + SourceFolder: '$(Agent.BuildDirectory)' + Contents: | + **\*.nativecodeanalysis.xml + TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - task: DownloadBuildArtifacts@0 displayName: Download Build Artifacts inputs: From 4f697bd56fc2593207fef11759591dd921426db0 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 30 Nov 2021 15:17:39 -0800 Subject: [PATCH 26/82] remove line --- build/Helix/ProcessHelixFiles.ps1 | 1 - 1 file changed, 1 deletion(-) diff --git a/build/Helix/ProcessHelixFiles.ps1 b/build/Helix/ProcessHelixFiles.ps1 index 3c4349d2e67..dcd3608a5d4 100644 --- a/build/Helix/ProcessHelixFiles.ps1 +++ b/build/Helix/ProcessHelixFiles.ps1 @@ -81,7 +81,6 @@ foreach ($testRun in $testRuns.value) if (-not $workItems.Contains($workItem)) { $workItems.Add($workItem) - $filesQueryUri = "https://helix.dot.net/api/2019-06-17/jobs/$helixJobId/workitems/$helixWorkItemName/files" $filesQueryUri = Append-HelixAccessTokenToUrl $filesQueryUri $helixAccessToken $files = Invoke-RestMethodWithRetries $filesQueryUri From 826f8c0baa81025dba37aefd6e212147052e9b39 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 30 Nov 2021 15:22:13 -0800 Subject: [PATCH 27/82] let's see how this blends --- build/pipelines/release.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 3339daa93dc..301c4b52d2f 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -4,9 +4,7 @@ pr: none pool: name: WinDevPool-L - demands: - - ImageOverride -equals WinDevVS16-latest - - ImageVersionOverride -equals 2.0.0 + demands: ImageOverride -equals WinDevVS16-latest parameters: - name: branding @@ -310,7 +308,7 @@ jobs: project: $(System.TeamProjectId) pipeline: 70913 buildVersionToDownload: 'specific' - buildId: 37520569 + buildId: 41716590 - task: ExtractFiles@1 inputs: archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix' From a9a3789cf4c77716b8b101cb194e232e708d70d6 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 30 Nov 2021 15:47:49 -0800 Subject: [PATCH 28/82] fiddle about --- build/pipelines/release.yml | 54 ++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 301c4b52d2f..d476ade6572 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -66,7 +66,7 @@ jobs: BuildPlatform: ${{ platform }} displayName: Build cancelTimeoutInMinutes: 1 - condition: false + condition: true steps: - checkout: self clean: true @@ -204,6 +204,7 @@ jobs: filePath: build\scripts\Index-Pdbs.ps1 arguments: -SearchDir '$(Build.SourcesDirectory)' -SourceRoot '$(Build.SourcesDirectory)' -recursive -Verbose -CommitId $(Build.SourceVersion) errorActionPreference: silentlyContinue + # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - task: ComponentGovernanceComponentDetection@0 displayName: Component Detection - task: PowerShell@2 @@ -265,9 +266,60 @@ jobs: SearchPattern: '**/*.pdb' IndexSources: false SymbolServerType: TeamServices + + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 + displayName: 'Run the PREfast SDL Native Rules for MSBuild' + condition: succeededOrFailed() + + # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + - task: CopyFiles@1 + displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + inputs: + SourceFolder: '$(Agent.BuildDirectory)' + Contents: | + **\*.nativecodeanalysis.xml + TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” + displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' + + - task: PkgESSecComp@10 + displayName: 'Security and Compliance tasks' + inputs: + fileNewBugs: false + areaPath: 'OS\WDX\DXP\WinDev\Terminal' + teamProject: 'OS' + iterationPath: 'OS\Future' + bugTags: 'TerminalReleaseCompliance' + scanAll: true + errOnBugs: false + failOnStdErr: true + taskLogVerbosity: Diagnostic + release: Iron + secCompConfigFromTask: | + # Overrides default build sources directory + sourceTargetOverrideAll: d:\ba\s\ + # Overrides default build binaries directory when "Scan all" option is specified + binariesTargetOverrideAll: d:\ba\b\ + + # Set the tools to false if they should not run in the build + tools: + - toolName: CheckCFlags + enable: true + - toolName: CFGCheck + enable: true + - toolName: Policheck + enable: true + - toolName: CredScan + enable: true + - toolName: XFGCheck + enable: true - job: ComplianceTasks displayName: Validate security and compliance + condition: false pool: vmImage: 'windows-2019' #dependsOn: Build From aa12f453eef16236357595908709e124fb66cdab Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 1 Dec 2021 15:42:14 -0800 Subject: [PATCH 29/82] ran out of heap space on compile with x86. fortunately v3 of the task (which I was supposed to move to anyway) uses x64 by default. --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index d476ade6572..169fb502f22 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -268,7 +268,7 @@ jobs: SymbolServerType: TeamServices # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() From c9ded19007aea1060bc8c7f9163b6e4b89d835a0 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 2 Dec 2021 15:58:57 -0800 Subject: [PATCH 30/82] apparently npm is required by v3. go back to v2 and force x64 to pass the heap thing. --- build/pipelines/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 169fb502f22..8c5c00b0dc7 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -268,9 +268,11 @@ jobs: SymbolServerType: TeamServices # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() + inputs: + msBuildArchitecture: x64 # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 From cb829f5ce57f2bc8338151444ff5b0bbb7f48157 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 10:02:51 -0800 Subject: [PATCH 31/82] use v3 I guess and install npm --- build/pipelines/release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 8c5c00b0dc7..ada290d28be 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -76,6 +76,10 @@ jobs: displayName: Package ES - Setup Build inputs: disableOutputRedirect: true + # install npm because the security tasks need it (prefast@3 specifically) + - task: Npm@1 + inputs: + command: 'install' - task: PowerShell@2 displayName: Rationalize Build Platform inputs: @@ -341,7 +345,7 @@ jobs: displayName: Component Detection # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() From 8607097977e46ec495a2db9f6112e8a53db76201 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 10:04:16 -0800 Subject: [PATCH 32/82] stop confusing myself. --- build/pipelines/release.yml | 94 +------------------------------------ 1 file changed, 1 insertion(+), 93 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index ada290d28be..1b28fbe5358 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -272,11 +272,9 @@ jobs: SymbolServerType: TeamServices # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() - inputs: - msBuildArchitecture: x64 # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 @@ -323,96 +321,6 @@ jobs: - toolName: XFGCheck enable: true -- job: ComplianceTasks - displayName: Validate security and compliance - condition: false - pool: - vmImage: 'windows-2019' - #dependsOn: Build - steps: - - checkout: self - fetchDepth: 1 - clean: true - submodules: true - persistCredentials: True - - task: PkgESSetupBuild@12 - displayName: 'Package ES - Setup Build' - - - task: NuGetAuthenticate@0 - - # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 - displayName: Component Detection - - # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 - displayName: 'Run the PREfast SDL Native Rules for MSBuild' - condition: succeededOrFailed() - - # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - - task: CopyFiles@1 - displayName: 'Copy PREfast xml files to SDLNativeRulesDir' - inputs: - SourceFolder: '$(Agent.BuildDirectory)' - Contents: | - **\*.nativecodeanalysis.xml - TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - task: DownloadBuildArtifacts@0 - displayName: Download Build Artifacts - inputs: - artifactName: appx-x64-Release - downloadPath: $(System.ArtifactsDirectory) - buildType: 'specific' - project: $(System.TeamProjectId) - pipeline: 70913 - buildVersionToDownload: 'specific' - buildId: 41716590 - - task: ExtractFiles@1 - inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix' - cleanDestinationFolder: true - overwriteExistingFiles: true - destinationFolder: $(Build.BinariesDirectory) - - task: ExtractFiles@1 - inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.appxsym' - cleanDestinationFolder: false - overwriteExistingFiles: true - destinationFolder: $(Build.BinariesDirectory) - # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” - displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - - task: PkgESSecComp@10 - displayName: 'Security and Compliance tasks' - inputs: - fileNewBugs: false - areaPath: 'OS\WDX\DXP\WinDev\Terminal' - teamProject: 'OS' - iterationPath: 'OS\Future' - bugTags: 'TerminalReleaseCompliance' - scanAll: true - errOnBugs: false - failOnStdErr: true - taskLogVerbosity: Diagnostic - secCompConfigFromTask: | - # Overrides default build sources directory - sourceTargetOverrideAll: $(Build.SourcesDirectory) - # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: $(Build.BinariesDirectory) - - # Set the tools to false if they should not run in the build - tools: - - toolName: CheckCFlags - enable: true - - toolName: CFGCheck - enable: true - - toolName: Policheck - enable: false - - toolName: CredScan - enable: false - - toolName: XFGCheck - enable: false - - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign displayName: Create and sign AppX/MSIX bundles From 4c34f0b5142df5fc103205385dc2da79246c28a9 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 10:20:20 -0800 Subject: [PATCH 33/82] wrong node installer --- build/pipelines/release.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 1b28fbe5358..ad94e0d8696 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -76,10 +76,6 @@ jobs: displayName: Package ES - Setup Build inputs: disableOutputRedirect: true - # install npm because the security tasks need it (prefast@3 specifically) - - task: Npm@1 - inputs: - command: 'install' - task: PowerShell@2 displayName: Rationalize Build Platform inputs: @@ -272,6 +268,8 @@ jobs: SymbolServerType: TeamServices # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + # install npm because the security tasks need it (prefast@3 specifically) + - task: NodeTool@0 - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() From fd14a71a0791b8013ea06ac9c56b7dd8f5db5dbe Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 11:13:00 -0800 Subject: [PATCH 34/82] Revert "wrong node installer" This reverts commit 4c34f0b5142df5fc103205385dc2da79246c28a9. --- build/pipelines/release.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index ad94e0d8696..1b28fbe5358 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -76,6 +76,10 @@ jobs: displayName: Package ES - Setup Build inputs: disableOutputRedirect: true + # install npm because the security tasks need it (prefast@3 specifically) + - task: Npm@1 + inputs: + command: 'install' - task: PowerShell@2 displayName: Rationalize Build Platform inputs: @@ -268,8 +272,6 @@ jobs: SymbolServerType: TeamServices # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - # install npm because the security tasks need it (prefast@3 specifically) - - task: NodeTool@0 - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() From ee69e067c28a3ab90257a1802318a6881075cff3 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 11:13:04 -0800 Subject: [PATCH 35/82] Revert "stop confusing myself." This reverts commit 8607097977e46ec495a2db9f6112e8a53db76201. --- build/pipelines/release.yml | 94 ++++++++++++++++++++++++++++++++++++- 1 file changed, 93 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 1b28fbe5358..ada290d28be 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -272,9 +272,11 @@ jobs: SymbolServerType: TeamServices # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() + inputs: + msBuildArchitecture: x64 # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 @@ -321,6 +323,96 @@ jobs: - toolName: XFGCheck enable: true +- job: ComplianceTasks + displayName: Validate security and compliance + condition: false + pool: + vmImage: 'windows-2019' + #dependsOn: Build + steps: + - checkout: self + fetchDepth: 1 + clean: true + submodules: true + persistCredentials: True + - task: PkgESSetupBuild@12 + displayName: 'Package ES - Setup Build' + + - task: NuGetAuthenticate@0 + + # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html + - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: Component Detection + + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + displayName: 'Run the PREfast SDL Native Rules for MSBuild' + condition: succeededOrFailed() + + # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + - task: CopyFiles@1 + displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + inputs: + SourceFolder: '$(Agent.BuildDirectory)' + Contents: | + **\*.nativecodeanalysis.xml + TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + - task: DownloadBuildArtifacts@0 + displayName: Download Build Artifacts + inputs: + artifactName: appx-x64-Release + downloadPath: $(System.ArtifactsDirectory) + buildType: 'specific' + project: $(System.TeamProjectId) + pipeline: 70913 + buildVersionToDownload: 'specific' + buildId: 41716590 + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix' + cleanDestinationFolder: true + overwriteExistingFiles: true + destinationFolder: $(Build.BinariesDirectory) + - task: ExtractFiles@1 + inputs: + archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.appxsym' + cleanDestinationFolder: false + overwriteExistingFiles: true + destinationFolder: $(Build.BinariesDirectory) + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” + displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' + - task: PkgESSecComp@10 + displayName: 'Security and Compliance tasks' + inputs: + fileNewBugs: false + areaPath: 'OS\WDX\DXP\WinDev\Terminal' + teamProject: 'OS' + iterationPath: 'OS\Future' + bugTags: 'TerminalReleaseCompliance' + scanAll: true + errOnBugs: false + failOnStdErr: true + taskLogVerbosity: Diagnostic + secCompConfigFromTask: | + # Overrides default build sources directory + sourceTargetOverrideAll: $(Build.SourcesDirectory) + # Overrides default build binaries directory when "Scan all" option is specified + binariesTargetOverrideAll: $(Build.BinariesDirectory) + + # Set the tools to false if they should not run in the build + tools: + - toolName: CheckCFlags + enable: true + - toolName: CFGCheck + enable: true + - toolName: Policheck + enable: false + - toolName: CredScan + enable: false + - toolName: XFGCheck + enable: false + - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign displayName: Create and sign AppX/MSIX bundles From 95a1fff00c721a1ecd0886ddcae5b7b20eaa5e1b Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 11:18:38 -0800 Subject: [PATCH 36/82] ok let's try this who knows. --- build/pipelines/release.yml | 87 ++----------------------------------- 1 file changed, 4 insertions(+), 83 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index ada290d28be..46131638eb5 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -66,7 +66,7 @@ jobs: BuildPlatform: ${{ platform }} displayName: Build cancelTimeoutInMinutes: 1 - condition: true + condition: false steps: - checkout: self clean: true @@ -76,10 +76,6 @@ jobs: displayName: Package ES - Setup Build inputs: disableOutputRedirect: true - # install npm because the security tasks need it (prefast@3 specifically) - - task: Npm@1 - inputs: - command: 'install' - task: PowerShell@2 displayName: Rationalize Build Platform inputs: @@ -208,9 +204,6 @@ jobs: filePath: build\scripts\Index-Pdbs.ps1 arguments: -SearchDir '$(Build.SourcesDirectory)' -SourceRoot '$(Build.SourcesDirectory)' -recursive -Verbose -CommitId $(Build.SourceVersion) errorActionPreference: silentlyContinue - # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - - task: ComponentGovernanceComponentDetection@0 - displayName: Component Detection - task: PowerShell@2 displayName: Run Unit Tests condition: and(succeeded(), or(eq(variables['BuildPlatform'], 'x64'), eq(variables['BuildPlatform'], 'x86'))) @@ -270,62 +263,10 @@ jobs: SearchPattern: '**/*.pdb' IndexSources: false SymbolServerType: TeamServices - - # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2 - displayName: 'Run the PREfast SDL Native Rules for MSBuild' - condition: succeededOrFailed() - inputs: - msBuildArchitecture: x64 - - # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - - task: CopyFiles@1 - displayName: 'Copy PREfast xml files to SDLNativeRulesDir' - inputs: - SourceFolder: '$(Agent.BuildDirectory)' - Contents: | - **\*.nativecodeanalysis.xml - TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” - displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - - - task: PkgESSecComp@10 - displayName: 'Security and Compliance tasks' - inputs: - fileNewBugs: false - areaPath: 'OS\WDX\DXP\WinDev\Terminal' - teamProject: 'OS' - iterationPath: 'OS\Future' - bugTags: 'TerminalReleaseCompliance' - scanAll: true - errOnBugs: false - failOnStdErr: true - taskLogVerbosity: Diagnostic - release: Iron - secCompConfigFromTask: | - # Overrides default build sources directory - sourceTargetOverrideAll: d:\ba\s\ - # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: d:\ba\b\ - - # Set the tools to false if they should not run in the build - tools: - - toolName: CheckCFlags - enable: true - - toolName: CFGCheck - enable: true - - toolName: Policheck - enable: true - - toolName: CredScan - enable: true - - toolName: XFGCheck - enable: true - job: ComplianceTasks displayName: Validate security and compliance - condition: false + condition: true pool: vmImage: 'windows-2019' #dependsOn: Build @@ -348,6 +289,8 @@ jobs: - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() + inputs: + msBuildCommandline: /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Clean /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 @@ -357,28 +300,6 @@ jobs: Contents: | **\*.nativecodeanalysis.xml TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - task: DownloadBuildArtifacts@0 - displayName: Download Build Artifacts - inputs: - artifactName: appx-x64-Release - downloadPath: $(System.ArtifactsDirectory) - buildType: 'specific' - project: $(System.TeamProjectId) - pipeline: 70913 - buildVersionToDownload: 'specific' - buildId: 41716590 - - task: ExtractFiles@1 - inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.msix' - cleanDestinationFolder: true - overwriteExistingFiles: true - destinationFolder: $(Build.BinariesDirectory) - - task: ExtractFiles@1 - inputs: - archiveFilePatterns: '$(System.ArtifactsDirectory)\**\CascadiaPackage*.appxsym' - cleanDestinationFolder: false - overwriteExistingFiles: true - destinationFolder: $(Build.BinariesDirectory) # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' From 9908721a0c203e6682207d76c37b36479714700e Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 11:19:35 -0800 Subject: [PATCH 37/82] build msix default --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 46131638eb5..1f39d73a49c 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -17,7 +17,7 @@ parameters: - name: buildTerminal displayName: "Build Windows Terminal MSIX" type: boolean - default: false + default: true - name: buildTerminalVPack displayName: "Build Windows Terminal VPack" type: boolean From 0b6ac5968568961a59d42c8b9fd8bf8171be4f04 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 12:47:10 -0800 Subject: [PATCH 38/82] boo --- build/pipelines/release.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 1f39d73a49c..148fc9b5fd3 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -267,6 +267,9 @@ jobs: - job: ComplianceTasks displayName: Validate security and compliance condition: true + variables: + BuildConfiguration: Release + BuildPlatform: x64 pool: vmImage: 'windows-2019' #dependsOn: Build @@ -290,7 +293,7 @@ jobs: displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() inputs: - msBuildCommandline: /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Clean /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + msBuildCommandline: /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Clean /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 From 7c7e42798e46528dfb3e34c6f4d918a889bc9002 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 12:56:42 -0800 Subject: [PATCH 39/82] add msbuild.exe --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 148fc9b5fd3..27e1958c69f 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -293,7 +293,7 @@ jobs: displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() inputs: - msBuildCommandline: /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Clean /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Clean /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 From ead0864f210cfc76d053159e489efe9207ae3e46 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 13:24:35 -0800 Subject: [PATCH 40/82] throw more eggs at the wall --- build/pipelines/release.yml | 25 +++++-------------------- 1 file changed, 5 insertions(+), 20 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 27e1958c69f..54ab63fdb72 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -256,6 +256,7 @@ jobs: inputs: PathtoPublish: $(Build.ArtifactStagingDirectory)/wpf ArtifactName: wpf-dll-$(BuildPlatform)-$(BuildConfiguration) + - task: PublishSymbols@2 displayName: Publish symbols path continueOnError: True @@ -264,30 +265,13 @@ jobs: IndexSources: false SymbolServerType: TeamServices -- job: ComplianceTasks - displayName: Validate security and compliance - condition: true - variables: - BuildConfiguration: Release - BuildPlatform: x64 - pool: - vmImage: 'windows-2019' - #dependsOn: Build - steps: - - checkout: self - fetchDepth: 1 - clean: true - submodules: true - persistCredentials: True - - task: PkgESSetupBuild@12 - displayName: 'Package ES - Setup Build' - - - task: NuGetAuthenticate@0 - # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: Component Detection + # PREfast needs Node. Install that first. + - task: NodeTool@0 + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' @@ -303,6 +287,7 @@ jobs: Contents: | **\*.nativecodeanalysis.xml TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' From c4a5c09cb301456abc689e223c2068fd8377e721 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 13:31:38 -0800 Subject: [PATCH 41/82] true --- build/pipelines/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 54ab63fdb72..938beda309f 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -66,7 +66,7 @@ jobs: BuildPlatform: ${{ platform }} displayName: Build cancelTimeoutInMinutes: 1 - condition: false + condition: true steps: - checkout: self clean: true @@ -271,7 +271,7 @@ jobs: # PREfast needs Node. Install that first. - task: NodeTool@0 - + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' From 5849938305ae162ab7e03e25975bf99bdaea0a64 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 13:46:35 -0800 Subject: [PATCH 42/82] nerf some stuff while I test --- build/pipelines/release.yml | 234 ++++++++++++++++++------------------ 1 file changed, 117 insertions(+), 117 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 938beda309f..2ab52771653 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -147,123 +147,123 @@ jobs: inputs: filePath: tools/PGODatabase/restore-pgodb.ps1 workingDirectory: $(Build.SourcesDirectory)\tools\PGODatabase - - ${{ if eq(parameters.buildTerminal, true) }}: - - task: VSBuild@1 - displayName: Build solution **\OpenConsole.sln - inputs: - solution: '**\OpenConsole.sln' - vsVersion: 16.0 - msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:WindowsTerminalReleaseBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog - platform: $(BuildPlatform) - configuration: $(BuildConfiguration) - clean: true - maximumCpuCount: true - - task: PublishBuildArtifacts@1 - displayName: 'Publish Artifact: binlog' - condition: failed() - continueOnError: True - inputs: - PathtoPublish: $(Build.SourcesDirectory)\msbuild.binlog - ArtifactName: binlog-$(BuildPlatform) - - ${{ if eq(parameters.pgoBuildMode, 'Optimize') }}: - - task: PowerShell@2 - displayName: Validate binaries are optimized - condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) - inputs: - targetType: inline - script: >- - $Binaries = 'OpenConsole.exe', 'WindowsTerminal.exe', 'TerminalApp.dll', 'TerminalConnection.dll', 'Microsoft.Terminal.Control.dll', 'Microsoft.Terminal.Remoting.dll', 'Microsoft.Terminal.Settings.Editor.dll', 'Microsoft.Terminal.Settings.Model.dll' - - foreach ($BinFile in $Binaries) { - - & "$(Build.SourcesDirectory)\tools\PGODatabase\verify-pgo.ps1" "$(Build.SourcesDirectory)/src/cascadia/CascadiaPackage/bin/$(BuildPlatform)/$(BuildConfiguration)/$BinFile" - - } - - task: PowerShell@2 - displayName: Check MSIX for common regressions - inputs: - targetType: inline - script: >- - $Package = Get-ChildItem -Recurse -Filter "CascadiaPackage_*.msix" - - .\build\scripts\Test-WindowsTerminalPackage.ps1 -Verbose -Path $Package.FullName - pwsh: true - - ${{ if eq(parameters.buildWPF, true) }}: - - task: VSBuild@1 - displayName: Build solution **\OpenConsole.sln for PublicTerminalCore - condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) - inputs: - solution: '**\OpenConsole.sln' - vsVersion: 16.0 - msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /p:WindowsTerminalReleaseBuild=true /t:Terminal\wpf\PublicTerminalCore - platform: $(BuildPlatform) - configuration: $(BuildConfiguration) - - task: PowerShell@2 - displayName: Source Index PDBs - inputs: - filePath: build\scripts\Index-Pdbs.ps1 - arguments: -SearchDir '$(Build.SourcesDirectory)' -SourceRoot '$(Build.SourcesDirectory)' -recursive -Verbose -CommitId $(Build.SourceVersion) - errorActionPreference: silentlyContinue - - task: PowerShell@2 - displayName: Run Unit Tests - condition: and(succeeded(), or(eq(variables['BuildPlatform'], 'x64'), eq(variables['BuildPlatform'], 'x86'))) - enabled: False - inputs: - filePath: build\scripts\Run-Tests.ps1 - arguments: -MatchPattern '*unit.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' - - task: PowerShell@2 - displayName: Run Feature Tests - condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) - enabled: False - inputs: - filePath: build\scripts\Run-Tests.ps1 - arguments: -MatchPattern '*feature.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' - - ${{ if eq(parameters.buildTerminal, true) }}: - - task: CopyFiles@2 - displayName: Copy *.appx/*.msix to Artifacts - inputs: - Contents: >- - **/*.appx - - **/*.msix - - **/*.appxsym - - !**/Microsoft.VCLibs*.appx - TargetFolder: $(Build.ArtifactStagingDirectory)/appx - OverWrite: true - flattenFolders: true - - task: PublishBuildArtifacts@1 - displayName: Publish Artifact (appx) - inputs: - PathtoPublish: $(Build.ArtifactStagingDirectory)/appx - ArtifactName: appx-$(BuildPlatform)-$(BuildConfiguration) - - ${{ if eq(parameters.buildWPF, true) }}: - - task: CopyFiles@2 - displayName: Copy PublicTerminalCore.dll to Artifacts - condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) - inputs: - Contents: >- - **/PublicTerminalCore.dll - - **/api-ms-win-core-synch-l1-2-0.dll - TargetFolder: $(Build.ArtifactStagingDirectory)/wpf - OverWrite: true - flattenFolders: true - - task: PublishBuildArtifacts@1 - displayName: Publish Artifact (PublicTerminalCore) - condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) - inputs: - PathtoPublish: $(Build.ArtifactStagingDirectory)/wpf - ArtifactName: wpf-dll-$(BuildPlatform)-$(BuildConfiguration) - - - task: PublishSymbols@2 - displayName: Publish symbols path - continueOnError: True - inputs: - SearchPattern: '**/*.pdb' - IndexSources: false - SymbolServerType: TeamServices + # - ${{ if eq(parameters.buildTerminal, true) }}: + # - task: VSBuild@1 + # displayName: Build solution **\OpenConsole.sln + # inputs: + # solution: '**\OpenConsole.sln' + # vsVersion: 16.0 + # msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:WindowsTerminalReleaseBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog + # platform: $(BuildPlatform) + # configuration: $(BuildConfiguration) + # clean: true + # maximumCpuCount: true + # - task: PublishBuildArtifacts@1 + # displayName: 'Publish Artifact: binlog' + # condition: failed() + # continueOnError: True + # inputs: + # PathtoPublish: $(Build.SourcesDirectory)\msbuild.binlog + # ArtifactName: binlog-$(BuildPlatform) + # - ${{ if eq(parameters.pgoBuildMode, 'Optimize') }}: + # - task: PowerShell@2 + # displayName: Validate binaries are optimized + # condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) + # inputs: + # targetType: inline + # script: >- + # $Binaries = 'OpenConsole.exe', 'WindowsTerminal.exe', 'TerminalApp.dll', 'TerminalConnection.dll', 'Microsoft.Terminal.Control.dll', 'Microsoft.Terminal.Remoting.dll', 'Microsoft.Terminal.Settings.Editor.dll', 'Microsoft.Terminal.Settings.Model.dll' + + # foreach ($BinFile in $Binaries) { + + # & "$(Build.SourcesDirectory)\tools\PGODatabase\verify-pgo.ps1" "$(Build.SourcesDirectory)/src/cascadia/CascadiaPackage/bin/$(BuildPlatform)/$(BuildConfiguration)/$BinFile" + + # } + # - task: PowerShell@2 + # displayName: Check MSIX for common regressions + # inputs: + # targetType: inline + # script: >- + # $Package = Get-ChildItem -Recurse -Filter "CascadiaPackage_*.msix" + + # .\build\scripts\Test-WindowsTerminalPackage.ps1 -Verbose -Path $Package.FullName + # pwsh: true + # - ${{ if eq(parameters.buildWPF, true) }}: + # - task: VSBuild@1 + # displayName: Build solution **\OpenConsole.sln for PublicTerminalCore + # condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) + # inputs: + # solution: '**\OpenConsole.sln' + # vsVersion: 16.0 + # msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /p:WindowsTerminalReleaseBuild=true /t:Terminal\wpf\PublicTerminalCore + # platform: $(BuildPlatform) + # configuration: $(BuildConfiguration) + # - task: PowerShell@2 + # displayName: Source Index PDBs + # inputs: + # filePath: build\scripts\Index-Pdbs.ps1 + # arguments: -SearchDir '$(Build.SourcesDirectory)' -SourceRoot '$(Build.SourcesDirectory)' -recursive -Verbose -CommitId $(Build.SourceVersion) + # errorActionPreference: silentlyContinue + # - task: PowerShell@2 + # displayName: Run Unit Tests + # condition: and(succeeded(), or(eq(variables['BuildPlatform'], 'x64'), eq(variables['BuildPlatform'], 'x86'))) + # enabled: False + # inputs: + # filePath: build\scripts\Run-Tests.ps1 + # arguments: -MatchPattern '*unit.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' + # - task: PowerShell@2 + # displayName: Run Feature Tests + # condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) + # enabled: False + # inputs: + # filePath: build\scripts\Run-Tests.ps1 + # arguments: -MatchPattern '*feature.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' + # - ${{ if eq(parameters.buildTerminal, true) }}: + # - task: CopyFiles@2 + # displayName: Copy *.appx/*.msix to Artifacts + # inputs: + # Contents: >- + # **/*.appx + + # **/*.msix + + # **/*.appxsym + + # !**/Microsoft.VCLibs*.appx + # TargetFolder: $(Build.ArtifactStagingDirectory)/appx + # OverWrite: true + # flattenFolders: true + # - task: PublishBuildArtifacts@1 + # displayName: Publish Artifact (appx) + # inputs: + # PathtoPublish: $(Build.ArtifactStagingDirectory)/appx + # ArtifactName: appx-$(BuildPlatform)-$(BuildConfiguration) + # - ${{ if eq(parameters.buildWPF, true) }}: + # - task: CopyFiles@2 + # displayName: Copy PublicTerminalCore.dll to Artifacts + # condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) + # inputs: + # Contents: >- + # **/PublicTerminalCore.dll + + # **/api-ms-win-core-synch-l1-2-0.dll + # TargetFolder: $(Build.ArtifactStagingDirectory)/wpf + # OverWrite: true + # flattenFolders: true + # - task: PublishBuildArtifacts@1 + # displayName: Publish Artifact (PublicTerminalCore) + # condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) + # inputs: + # PathtoPublish: $(Build.ArtifactStagingDirectory)/wpf + # ArtifactName: wpf-dll-$(BuildPlatform)-$(BuildConfiguration) + + # - task: PublishSymbols@2 + # displayName: Publish symbols path + # continueOnError: True + # inputs: + # SearchPattern: '**/*.pdb' + # IndexSources: false + # SymbolServerType: TeamServices # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 From ebd8aae274a1a34c4fa30752f8f37c48d4fbcf72 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 15:14:05 -0800 Subject: [PATCH 43/82] try something else who knows --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 2ab52771653..4b305eb5c44 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -277,7 +277,7 @@ jobs: displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() inputs: - msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Clean /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Restore /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 From 8df6d1d897c6a7646a941ea4082617abcabdf49a Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Fri, 3 Dec 2021 17:41:44 -0800 Subject: [PATCH 44/82] Try building just the WindowsTerminal proj --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 4b305eb5c44..60172c6d76e 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -277,7 +277,7 @@ jobs: displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() inputs: - msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Restore /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - task: CopyFiles@1 From cb5eed839922fb861343acdcbecb37c3287cc63d Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Sat, 4 Dec 2021 09:56:11 -0800 Subject: [PATCH 45/82] turn it up to 11 --- build/pipelines/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 60172c6d76e..1751ae0ce4a 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -307,7 +307,7 @@ jobs: # Overrides default build sources directory sourceTargetOverrideAll: $(Build.SourcesDirectory) # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: $(Build.BinariesDirectory) + binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin # Set the tools to false if they should not run in the build tools: @@ -316,11 +316,11 @@ jobs: - toolName: CFGCheck enable: true - toolName: Policheck - enable: false + enable: true - toolName: CredScan - enable: false + enable: true - toolName: XFGCheck - enable: false + enable: true - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign From 9e6733f28db4c829e73f27e959e585578cf780c8 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 6 Dec 2021 12:56:05 -0800 Subject: [PATCH 46/82] turn off policheck for now --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 1751ae0ce4a..eee0767bee9 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -316,7 +316,7 @@ jobs: - toolName: CFGCheck enable: true - toolName: Policheck - enable: true + enable: false - toolName: CredScan enable: true - toolName: XFGCheck From ae7e598a0a447e06cf8fe9f5cab18a62ecccda3e Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 6 Dec 2021 13:40:16 -0800 Subject: [PATCH 47/82] try turning off prefast --- build/pipelines/release.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index eee0767bee9..2afaba55927 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -269,24 +269,24 @@ jobs: - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: Component Detection - # PREfast needs Node. Install that first. - - task: NodeTool@0 + # # PREfast needs Node. Install that first. + # - task: NodeTool@0 - # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 - displayName: 'Run the PREfast SDL Native Rules for MSBuild' - condition: succeededOrFailed() - inputs: - msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + # # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + # - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + # displayName: 'Run the PREfast SDL Native Rules for MSBuild' + # condition: succeededOrFailed() + # inputs: + # msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln - # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - - task: CopyFiles@1 - displayName: 'Copy PREfast xml files to SDLNativeRulesDir' - inputs: - SourceFolder: '$(Agent.BuildDirectory)' - Contents: | - **\*.nativecodeanalysis.xml - TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + # # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + # - task: CopyFiles@1 + # displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + # inputs: + # SourceFolder: '$(Agent.BuildDirectory)' + # Contents: | + # **\*.nativecodeanalysis.xml + # TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” From 925e93ef6f1dd8d62dba8297ea85f922e66bce2d Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 6 Dec 2021 13:40:31 -0800 Subject: [PATCH 48/82] and turn policheck back on --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 2afaba55927..6942657fcf0 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -316,7 +316,7 @@ jobs: - toolName: CFGCheck enable: true - toolName: Policheck - enable: false + enable: true - toolName: CredScan enable: true - toolName: XFGCheck From a9f3d4bce9673edc16fe288c4d7f57ec1f35fed2 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 6 Dec 2021 13:59:10 -0800 Subject: [PATCH 49/82] make some bins --- build/pipelines/release.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 6942657fcf0..cde95c827aa 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -147,17 +147,17 @@ jobs: inputs: filePath: tools/PGODatabase/restore-pgodb.ps1 workingDirectory: $(Build.SourcesDirectory)\tools\PGODatabase - # - ${{ if eq(parameters.buildTerminal, true) }}: - # - task: VSBuild@1 - # displayName: Build solution **\OpenConsole.sln - # inputs: - # solution: '**\OpenConsole.sln' - # vsVersion: 16.0 - # msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:WindowsTerminalReleaseBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog - # platform: $(BuildPlatform) - # configuration: $(BuildConfiguration) - # clean: true - # maximumCpuCount: true + - ${{ if eq(parameters.buildTerminal, true) }}: + - task: VSBuild@1 + displayName: Build solution **\OpenConsole.sln + inputs: + solution: '**\OpenConsole.sln' + vsVersion: 16.0 + msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /t:Terminal\CascadiaPackage;Terminal\WindowsTerminalUniversal /p:WindowsTerminalReleaseBuild=true /bl:$(Build.SourcesDirectory)\msbuild.binlog + platform: $(BuildPlatform) + configuration: $(BuildConfiguration) + clean: true + maximumCpuCount: true # - task: PublishBuildArtifacts@1 # displayName: 'Publish Artifact: binlog' # condition: failed() From 6281c88f10ea9f2114e80666c23418a0df1257fe Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 6 Dec 2021 15:23:50 -0800 Subject: [PATCH 50/82] try 4 hours why not --- build/pipelines/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index cde95c827aa..f0b97164d85 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -65,6 +65,7 @@ jobs: BuildConfiguration: ${{ config }} BuildPlatform: ${{ platform }} displayName: Build + timeoutInMinutes: 240 cancelTimeoutInMinutes: 1 condition: true steps: From e97db4e3296aed332eaa54daac403a55c7d22755 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 08:44:15 -0800 Subject: [PATCH 51/82] try going to the source --- build/pipelines/release.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index f0b97164d85..0a5aa134834 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -289,7 +289,28 @@ jobs: # **\*.nativecodeanalysis.xml # TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + displayName: 'Run PoliCheck' + inputs: + targetType: F + targetArgument: $(Build.SourcesDirectory) + result: PoliCheck.xml + optionsFC: 1 + optionsXS: 1 + optionsHMENABLE: 0 + continueOnError: true + + # - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + # displayName: 'Run CredScan' + # inputs: + # outputFormat: pre + # suppressionsFile: LocalSuppressions.json + # batchSize: 20 + # debugMode: false + # continueOnError: true + + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - task: PkgESSecComp@10 @@ -317,7 +338,7 @@ jobs: - toolName: CFGCheck enable: true - toolName: Policheck - enable: true + enable: false - toolName: CredScan enable: true - toolName: XFGCheck From 6c4dd229741ffbcf12c21ea7b7f9e0221a8d2c96 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 10:06:26 -0800 Subject: [PATCH 52/82] continue slamming head directly into wall --- build/pipelines/release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 0a5aa134834..ff79cd84989 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -91,6 +91,7 @@ jobs: displayName: Use NuGet 5.10 inputs: versionSpec: 5.10 + - task: NuGetAuthenticate@0 - task: NuGetCommand@2 displayName: NuGet custom inputs: @@ -270,8 +271,8 @@ jobs: - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: Component Detection - # # PREfast needs Node. Install that first. - # - task: NodeTool@0 + # # PREfast and PoliCheck needs Node. Install that first. + - task: NodeTool@0 # # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task # - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 From fb78f11663e509f578ee53053d68549a89cb7948 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 15:52:15 -0800 Subject: [PATCH 53/82] enable xfg, I think --- src/common.build.pre.props | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/common.build.pre.props b/src/common.build.pre.props index 8238e3a9330..7f0c0915d8b 100644 --- a/src/common.build.pre.props +++ b/src/common.build.pre.props @@ -166,11 +166,12 @@ true NDEBUG;%(PreprocessorDefinitions) false + /d1guard:xfg /d2guardxfg %(AdditionalOptions) true true - /debugtype:cv,fixup %(AdditionalOptions) + /debugtype:cv,fixup /guard:xfg %(AdditionalOptions) From f15c65005e1a967695b1d089ca2df44a48d035e2 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 15:52:56 -0800 Subject: [PATCH 54/82] temporarily nerf actual signing --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index ff79cd84989..4ce095b3771 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -345,7 +345,7 @@ jobs: - toolName: XFGCheck enable: true -- ${{ if eq(parameters.buildTerminal, true) }}: +- ${{ if eq(parameters.noyou, true) }}: - job: BundleAndSign displayName: Create and sign AppX/MSIX bundles dependsOn: Build From f289a6708a5311ff5b511da3609e2d94052dbbc2 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 15:56:19 -0800 Subject: [PATCH 55/82] run separate credscan task --- build/pipelines/release.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 4ce095b3771..e7b6921b9af 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -302,14 +302,14 @@ jobs: optionsHMENABLE: 0 continueOnError: true - # - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - # displayName: 'Run CredScan' - # inputs: - # outputFormat: pre - # suppressionsFile: LocalSuppressions.json - # batchSize: 20 - # debugMode: false - # continueOnError: true + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + displayName: 'Run CredScan' + inputs: + outputFormat: pre + suppressionsFile: LocalSuppressions.json + batchSize: 20 + debugMode: false + continueOnError: true # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” @@ -341,7 +341,7 @@ jobs: - toolName: Policheck enable: false - toolName: CredScan - enable: true + enable: false - toolName: XFGCheck enable: true From 1b9ee5a98e7437181f4eabe8cc517cedc213e308 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 15:57:50 -0800 Subject: [PATCH 56/82] ok that was too sneaky. use comments instead. --- build/pipelines/release.yml | 142 ++++++++++++++++++------------------ 1 file changed, 71 insertions(+), 71 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index e7b6921b9af..c37c0f1e79a 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -345,77 +345,77 @@ jobs: - toolName: XFGCheck enable: true -- ${{ if eq(parameters.noyou, true) }}: - - job: BundleAndSign - displayName: Create and sign AppX/MSIX bundles - dependsOn: Build - steps: - - checkout: self - clean: true - submodules: true - persistCredentials: True - - task: PkgESSetupBuild@12 - displayName: Package ES - Setup Build - inputs: - disableOutputRedirect: true - - task: DownloadBuildArtifacts@0 - displayName: Download Artifacts (*.appx, *.msix) - inputs: - downloadType: specific - itemPattern: >- - **/*.msix - - **/*.appx - extractTars: false - - task: PowerShell@2 - displayName: Create WindowsTerminal*.msixbundle - inputs: - filePath: build\scripts\Create-AppxBundle.ps1 - arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName CascadiaPackage -BundleVersion 0.0.0.0 -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" - - task: PowerShell@2 - displayName: Create WindowsTerminalUniversal*.msixbundle - inputs: - filePath: build\scripts\Create-AppxBundle.ps1 - arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName WindowsTerminalUniversal -BundleVersion $(XES_APPXMANIFESTVERSION) -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminalUniversal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" - - task: EsrpCodeSigning@1 - displayName: Submit *.msixbundle to ESRP for code signing - inputs: - ConnectedServiceName: 9d6d2960-0793-4d59-943e-78dcb434840a - FolderPath: $(System.ArtifactsDirectory) - Pattern: Microsoft.WindowsTerminal*.msixbundle - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: >- - [ - { - "KeyCode": "Dynamic", - "CertTemplateName": "WINMSAPP1ST", - "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", - "OperationCode": "SigntoolSign", - "Parameters": { - "OpusName": "Microsoft", - "OpusInfo": "http://www.microsoft.com", - "FileDigest": "/fd \"SHA256\"", - "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName": "sign", - "ToolVersion": "1.0" - }, - { - "KeyCode": "Dynamic", - "CertTemplateName": "WINMSAPP1ST", - "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", - "OperationCode": "SigntoolVerify", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0" - } - ] - - task: PublishBuildArtifacts@1 - displayName: 'Publish Artifact: appxbundle-signed' - inputs: - PathtoPublish: $(System.ArtifactsDirectory) - ArtifactName: appxbundle-signed +# - ${{ if eq(parameters.buildTerminal, true) }}: +# - job: BundleAndSign +# displayName: Create and sign AppX/MSIX bundles +# dependsOn: Build +# steps: +# - checkout: self +# clean: true +# submodules: true +# persistCredentials: True +# - task: PkgESSetupBuild@12 +# displayName: Package ES - Setup Build +# inputs: +# disableOutputRedirect: true +# - task: DownloadBuildArtifacts@0 +# displayName: Download Artifacts (*.appx, *.msix) +# inputs: +# downloadType: specific +# itemPattern: >- +# **/*.msix + +# **/*.appx +# extractTars: false +# - task: PowerShell@2 +# displayName: Create WindowsTerminal*.msixbundle +# inputs: +# filePath: build\scripts\Create-AppxBundle.ps1 +# arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName CascadiaPackage -BundleVersion 0.0.0.0 -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" +# - task: PowerShell@2 +# displayName: Create WindowsTerminalUniversal*.msixbundle +# inputs: +# filePath: build\scripts\Create-AppxBundle.ps1 +# arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName WindowsTerminalUniversal -BundleVersion $(XES_APPXMANIFESTVERSION) -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminalUniversal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" +# - task: EsrpCodeSigning@1 +# displayName: Submit *.msixbundle to ESRP for code signing +# inputs: +# ConnectedServiceName: 9d6d2960-0793-4d59-943e-78dcb434840a +# FolderPath: $(System.ArtifactsDirectory) +# Pattern: Microsoft.WindowsTerminal*.msixbundle +# UseMinimatch: true +# signConfigType: inlineSignParams +# inlineOperation: >- +# [ +# { +# "KeyCode": "Dynamic", +# "CertTemplateName": "WINMSAPP1ST", +# "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", +# "OperationCode": "SigntoolSign", +# "Parameters": { +# "OpusName": "Microsoft", +# "OpusInfo": "http://www.microsoft.com", +# "FileDigest": "/fd \"SHA256\"", +# "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" +# }, +# "ToolName": "sign", +# "ToolVersion": "1.0" +# }, +# { +# "KeyCode": "Dynamic", +# "CertTemplateName": "WINMSAPP1ST", +# "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", +# "OperationCode": "SigntoolVerify", +# "Parameters": {}, +# "ToolName": "sign", +# "ToolVersion": "1.0" +# } +# ] +# - task: PublishBuildArtifacts@1 +# displayName: 'Publish Artifact: appxbundle-signed' +# inputs: +# PathtoPublish: $(System.ArtifactsDirectory) +# ArtifactName: appxbundle-signed - ${{ if eq(parameters.buildWPF, true) }}: - job: PackageAndSignWPF From 49f1f4be9b749ae2a9ffd59a70f4600f3fe923ca Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 7 Dec 2021 16:49:08 -0800 Subject: [PATCH 57/82] suppress suppression file while we don't have anything to suppress --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index c37c0f1e79a..b07d36f6969 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -306,7 +306,7 @@ jobs: displayName: 'Run CredScan' inputs: outputFormat: pre - suppressionsFile: LocalSuppressions.json + # suppressionsFile: LocalSuppressions.json batchSize: 20 debugMode: false continueOnError: true From e5e3c637abd47d7b04253985629a3ef5638bd048 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 13:52:41 -0800 Subject: [PATCH 58/82] try to fix cfgcheck --- build/pipelines/release.yml | 44 ++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index b07d36f6969..588587ff9e4 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -291,25 +291,25 @@ jobs: # TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 - displayName: 'Run PoliCheck' - inputs: - targetType: F - targetArgument: $(Build.SourcesDirectory) - result: PoliCheck.xml - optionsFC: 1 - optionsXS: 1 - optionsHMENABLE: 0 - continueOnError: true - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - displayName: 'Run CredScan' - inputs: - outputFormat: pre - # suppressionsFile: LocalSuppressions.json - batchSize: 20 - debugMode: false - continueOnError: true + # - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + # displayName: 'Run PoliCheck' + # inputs: + # targetType: F + # targetArgument: $(Build.SourcesDirectory) + # result: PoliCheck.xml + # optionsFC: 1 + # optionsXS: 1 + # optionsHMENABLE: 0 + # continueOnError: true + + # - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + # displayName: 'Run CredScan' + # inputs: + # outputFormat: pre + # # suppressionsFile: LocalSuppressions.json + # batchSize: 20 + # debugMode: false + # continueOnError: true # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” @@ -330,12 +330,12 @@ jobs: # Overrides default build sources directory sourceTargetOverrideAll: $(Build.SourcesDirectory) # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin + binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin\$(BuildPlatform)\$(BuildConfiguration) # Set the tools to false if they should not run in the build tools: - toolName: CheckCFlags - enable: true + enable: false - toolName: CFGCheck enable: true - toolName: Policheck @@ -343,7 +343,7 @@ jobs: - toolName: CredScan enable: false - toolName: XFGCheck - enable: true + enable: false # - ${{ if eq(parameters.buildTerminal, true) }}: # - job: BundleAndSign From 8f4e32211f7e98abe167c18783c1e2e0f6f5fa7c Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 13:59:16 -0800 Subject: [PATCH 59/82] don't policheck generated winrt files --- build/config/PolicheckExclusions.xml | 11 +++++++++++ build/pipelines/release.yml | 21 +++++++++++---------- 2 files changed, 22 insertions(+), 10 deletions(-) create mode 100644 build/config/PolicheckExclusions.xml diff --git a/build/config/PolicheckExclusions.xml b/build/config/PolicheckExclusions.xml new file mode 100644 index 00000000000..f95996d6791 --- /dev/null +++ b/build/config/PolicheckExclusions.xml @@ -0,0 +1,11 @@ + + + + winrt + + + + + + + \ No newline at end of file diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 588587ff9e4..ddae59087eb 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -291,16 +291,17 @@ jobs: # TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - # - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 - # displayName: 'Run PoliCheck' - # inputs: - # targetType: F - # targetArgument: $(Build.SourcesDirectory) - # result: PoliCheck.xml - # optionsFC: 1 - # optionsXS: 1 - # optionsHMENABLE: 0 - # continueOnError: true + - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + displayName: 'Run PoliCheck' + inputs: + targetType: F + targetArgument: $(Build.SourcesDirectory) + result: PoliCheck.xml + optionsFC: 1 + optionsXS: 1 + optionsUEPath: build/config/PolicheckExclusions.xml + optionsHMENABLE: 0 + continueOnError: true # - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 # displayName: 'Run CredScan' From b1622806cbc6b74c3448ccdf166d323872a25d9d Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 14:37:58 -0800 Subject: [PATCH 60/82] try to fix cfg? --- build/pipelines/release.yml | 2 +- src/common.build.pre.props | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index ddae59087eb..85af67ac0d1 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -331,7 +331,7 @@ jobs: # Overrides default build sources directory sourceTargetOverrideAll: $(Build.SourcesDirectory) # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin\$(BuildPlatform)\$(BuildConfiguration) + binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin # Set the tools to false if they should not run in the build tools: diff --git a/src/common.build.pre.props b/src/common.build.pre.props index 7f0c0915d8b..57184c9736a 100644 --- a/src/common.build.pre.props +++ b/src/common.build.pre.props @@ -171,7 +171,7 @@ true true - /debugtype:cv,fixup /guard:xfg %(AdditionalOptions) + /debugtype:cv,fixup /guard:cf,xfg %(AdditionalOptions) From ec4db654b1d48d4ce55f4bd913333ad407875c05 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 14:43:06 -0800 Subject: [PATCH 61/82] ok how about this directory, policheck? chew on that! --- build/pipelines/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 85af67ac0d1..afcd3b0118f 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -152,6 +152,7 @@ jobs: - ${{ if eq(parameters.buildTerminal, true) }}: - task: VSBuild@1 displayName: Build solution **\OpenConsole.sln + condition: false inputs: solution: '**\OpenConsole.sln' vsVersion: 16.0 @@ -299,7 +300,7 @@ jobs: result: PoliCheck.xml optionsFC: 1 optionsXS: 1 - optionsUEPath: build/config/PolicheckExclusions.xml + optionsUEPath: $(Build.SourcesDirectory)\build\config\PolicheckExclusions.xml optionsHMENABLE: 0 continueOnError: true From cd0db77bacc2b04c985202ca624dbecd478dc2cd Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 15:05:36 -0800 Subject: [PATCH 62/82] exclude more from policheck that doesn't make sense --- build/config/PolicheckExclusions.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/config/PolicheckExclusions.xml b/build/config/PolicheckExclusions.xml index f95996d6791..a30447631c9 100644 --- a/build/config/PolicheckExclusions.xml +++ b/build/config/PolicheckExclusions.xml @@ -1,11 +1,11 @@ - winrt + winrt|.git|oss|packages - + .PNG|.SVG|.BMP|.ICO \ No newline at end of file From 9d7406ac4cc70158a46ef7d5c15d513a4d5195a7 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Thu, 9 Dec 2021 15:22:03 -0800 Subject: [PATCH 63/82] ok here goes nothing --- build/pipelines/release.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index afcd3b0118f..c33e065240b 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -152,7 +152,7 @@ jobs: - ${{ if eq(parameters.buildTerminal, true) }}: - task: VSBuild@1 displayName: Build solution **\OpenConsole.sln - condition: false + condition: true inputs: solution: '**\OpenConsole.sln' vsVersion: 16.0 @@ -291,7 +291,6 @@ jobs: # **\*.nativecodeanalysis.xml # TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 displayName: 'Run PoliCheck' inputs: @@ -337,7 +336,7 @@ jobs: # Set the tools to false if they should not run in the build tools: - toolName: CheckCFlags - enable: false + enable: true - toolName: CFGCheck enable: true - toolName: Policheck @@ -345,7 +344,7 @@ jobs: - toolName: CredScan enable: false - toolName: XFGCheck - enable: false + enable: true # - ${{ if eq(parameters.buildTerminal, true) }}: # - job: BundleAndSign From 66507475caf780b3fa1e480503957b83f9e153b4 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 13 Dec 2021 12:54:07 -0800 Subject: [PATCH 64/82] make compliance run in parallel --- build/pipelines/release.yml | 496 +++++++++++++++++++++--------------- 1 file changed, 288 insertions(+), 208 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index c33e065240b..5f18af4601c 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -29,12 +29,11 @@ parameters: - name: pgoBuildMode displayName: "PGO Build Mode" type: string - default: None + default: Optimize values: - Optimize - Instrument - None - - name: buildConfigurations type: object default: @@ -43,8 +42,8 @@ parameters: type: object default: - x64 - # - x86 - # - arm64 + - x86 + - arm64 variables: TerminalInternalPackageVersion: "0.0.7" @@ -161,135 +160,215 @@ jobs: configuration: $(BuildConfiguration) clean: true maximumCpuCount: true - # - task: PublishBuildArtifacts@1 - # displayName: 'Publish Artifact: binlog' - # condition: failed() - # continueOnError: True - # inputs: - # PathtoPublish: $(Build.SourcesDirectory)\msbuild.binlog - # ArtifactName: binlog-$(BuildPlatform) - # - ${{ if eq(parameters.pgoBuildMode, 'Optimize') }}: - # - task: PowerShell@2 - # displayName: Validate binaries are optimized - # condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) - # inputs: - # targetType: inline - # script: >- - # $Binaries = 'OpenConsole.exe', 'WindowsTerminal.exe', 'TerminalApp.dll', 'TerminalConnection.dll', 'Microsoft.Terminal.Control.dll', 'Microsoft.Terminal.Remoting.dll', 'Microsoft.Terminal.Settings.Editor.dll', 'Microsoft.Terminal.Settings.Model.dll' - - # foreach ($BinFile in $Binaries) { - - # & "$(Build.SourcesDirectory)\tools\PGODatabase\verify-pgo.ps1" "$(Build.SourcesDirectory)/src/cascadia/CascadiaPackage/bin/$(BuildPlatform)/$(BuildConfiguration)/$BinFile" - - # } - # - task: PowerShell@2 - # displayName: Check MSIX for common regressions - # inputs: - # targetType: inline - # script: >- - # $Package = Get-ChildItem -Recurse -Filter "CascadiaPackage_*.msix" - - # .\build\scripts\Test-WindowsTerminalPackage.ps1 -Verbose -Path $Package.FullName - # pwsh: true - # - ${{ if eq(parameters.buildWPF, true) }}: - # - task: VSBuild@1 - # displayName: Build solution **\OpenConsole.sln for PublicTerminalCore - # condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) - # inputs: - # solution: '**\OpenConsole.sln' - # vsVersion: 16.0 - # msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /p:WindowsTerminalReleaseBuild=true /t:Terminal\wpf\PublicTerminalCore - # platform: $(BuildPlatform) - # configuration: $(BuildConfiguration) - # - task: PowerShell@2 - # displayName: Source Index PDBs - # inputs: - # filePath: build\scripts\Index-Pdbs.ps1 - # arguments: -SearchDir '$(Build.SourcesDirectory)' -SourceRoot '$(Build.SourcesDirectory)' -recursive -Verbose -CommitId $(Build.SourceVersion) - # errorActionPreference: silentlyContinue - # - task: PowerShell@2 - # displayName: Run Unit Tests - # condition: and(succeeded(), or(eq(variables['BuildPlatform'], 'x64'), eq(variables['BuildPlatform'], 'x86'))) - # enabled: False - # inputs: - # filePath: build\scripts\Run-Tests.ps1 - # arguments: -MatchPattern '*unit.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' - # - task: PowerShell@2 - # displayName: Run Feature Tests - # condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) - # enabled: False - # inputs: - # filePath: build\scripts\Run-Tests.ps1 - # arguments: -MatchPattern '*feature.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' - # - ${{ if eq(parameters.buildTerminal, true) }}: - # - task: CopyFiles@2 - # displayName: Copy *.appx/*.msix to Artifacts - # inputs: - # Contents: >- - # **/*.appx - - # **/*.msix - - # **/*.appxsym - - # !**/Microsoft.VCLibs*.appx - # TargetFolder: $(Build.ArtifactStagingDirectory)/appx - # OverWrite: true - # flattenFolders: true - # - task: PublishBuildArtifacts@1 - # displayName: Publish Artifact (appx) - # inputs: - # PathtoPublish: $(Build.ArtifactStagingDirectory)/appx - # ArtifactName: appx-$(BuildPlatform)-$(BuildConfiguration) - # - ${{ if eq(parameters.buildWPF, true) }}: - # - task: CopyFiles@2 - # displayName: Copy PublicTerminalCore.dll to Artifacts - # condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) - # inputs: - # Contents: >- - # **/PublicTerminalCore.dll - - # **/api-ms-win-core-synch-l1-2-0.dll - # TargetFolder: $(Build.ArtifactStagingDirectory)/wpf - # OverWrite: true - # flattenFolders: true - # - task: PublishBuildArtifacts@1 - # displayName: Publish Artifact (PublicTerminalCore) - # condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) - # inputs: - # PathtoPublish: $(Build.ArtifactStagingDirectory)/wpf - # ArtifactName: wpf-dll-$(BuildPlatform)-$(BuildConfiguration) - - # - task: PublishSymbols@2 - # displayName: Publish symbols path - # continueOnError: True - # inputs: - # SearchPattern: '**/*.pdb' - # IndexSources: false - # SymbolServerType: TeamServices + - task: PublishBuildArtifacts@1 + displayName: 'Publish Artifact: binlog' + condition: failed() + continueOnError: True + inputs: + PathtoPublish: $(Build.SourcesDirectory)\msbuild.binlog + ArtifactName: binlog-$(BuildPlatform) + - ${{ if eq(parameters.pgoBuildMode, 'Optimize') }}: + - task: PowerShell@2 + displayName: Validate binaries are optimized + condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) + inputs: + targetType: inline + script: >- + $Binaries = 'OpenConsole.exe', 'WindowsTerminal.exe', 'TerminalApp.dll', 'TerminalConnection.dll', 'Microsoft.Terminal.Control.dll', 'Microsoft.Terminal.Remoting.dll', 'Microsoft.Terminal.Settings.Editor.dll', 'Microsoft.Terminal.Settings.Model.dll' + + foreach ($BinFile in $Binaries) { + + & "$(Build.SourcesDirectory)\tools\PGODatabase\verify-pgo.ps1" "$(Build.SourcesDirectory)/src/cascadia/CascadiaPackage/bin/$(BuildPlatform)/$(BuildConfiguration)/$BinFile" + + } + - task: PowerShell@2 + displayName: Check MSIX for common regressions + inputs: + targetType: inline + script: >- + $Package = Get-ChildItem -Recurse -Filter "CascadiaPackage_*.msix" + + .\build\scripts\Test-WindowsTerminalPackage.ps1 -Verbose -Path $Package.FullName + pwsh: true + - ${{ if eq(parameters.buildWPF, true) }}: + - task: VSBuild@1 + displayName: Build solution **\OpenConsole.sln for PublicTerminalCore + condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) + inputs: + solution: '**\OpenConsole.sln' + vsVersion: 16.0 + msbuildArgs: /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }};PGOBuildMode=${{ parameters.pgoBuildMode }} /p:WindowsTerminalReleaseBuild=true /t:Terminal\wpf\PublicTerminalCore + platform: $(BuildPlatform) + configuration: $(BuildConfiguration) + - task: PowerShell@2 + displayName: Source Index PDBs + inputs: + filePath: build\scripts\Index-Pdbs.ps1 + arguments: -SearchDir '$(Build.SourcesDirectory)' -SourceRoot '$(Build.SourcesDirectory)' -recursive -Verbose -CommitId $(Build.SourceVersion) + errorActionPreference: silentlyContinue + - task: PowerShell@2 + displayName: Run Unit Tests + condition: and(succeeded(), or(eq(variables['BuildPlatform'], 'x64'), eq(variables['BuildPlatform'], 'x86'))) + enabled: False + inputs: + filePath: build\scripts\Run-Tests.ps1 + arguments: -MatchPattern '*unit.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' + - task: PowerShell@2 + displayName: Run Feature Tests + condition: and(succeeded(), eq(variables['BuildPlatform'], 'x64')) + enabled: False + inputs: + filePath: build\scripts\Run-Tests.ps1 + arguments: -MatchPattern '*feature.test*.dll' -Platform '$(RationalizedBuildPlatform)' -Configuration '$(BuildConfiguration)' + - ${{ if eq(parameters.buildTerminal, true) }}: + - task: CopyFiles@2 + displayName: Copy *.appx/*.msix to Artifacts + inputs: + Contents: >- + **/*.appx + + **/*.msix + + **/*.appxsym + + !**/Microsoft.VCLibs*.appx + TargetFolder: $(Build.ArtifactStagingDirectory)/appx + OverWrite: true + flattenFolders: true + - task: PublishBuildArtifacts@1 + displayName: Publish Artifact (appx) + inputs: + PathtoPublish: $(Build.ArtifactStagingDirectory)/appx + ArtifactName: appx-$(BuildPlatform)-$(BuildConfiguration) + - ${{ if eq(parameters.buildWPF, true) }}: + - task: CopyFiles@2 + displayName: Copy PublicTerminalCore.dll to Artifacts + condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) + inputs: + Contents: >- + **/PublicTerminalCore.dll + + **/api-ms-win-core-synch-l1-2-0.dll + TargetFolder: $(Build.ArtifactStagingDirectory)/wpf + OverWrite: true + flattenFolders: true + - task: PublishBuildArtifacts@1 + displayName: Publish Artifact (PublicTerminalCore) + condition: and(succeeded(), ne(variables['BuildPlatform'], 'arm64')) + inputs: + PathtoPublish: $(Build.ArtifactStagingDirectory)/wpf + ArtifactName: wpf-dll-$(BuildPlatform)-$(BuildConfiguration) + + - task: PublishSymbols@2 + displayName: Publish symbols path + continueOnError: True + inputs: + SearchPattern: '**/*.pdb' + IndexSources: false + SymbolServerType: TeamServices + +- job: Compliance + # We don't *need* a matrix but there's no other way to set parameters on a "job" + # in the AzDO YAML syntax. It would have to be a "stage" or a "template". + # Doesn't matter. We're going to do compliance on Release x64 because + # that's the one all the tooling works against for sure. + strategy: + matrix: + BuildConfiguration: Release + BuildPlatform: x64 + displayName: Validate Security and Compliance + steps: + - checkout: self + clean: true + submodules: true + persistCredentials: True + - task: PkgESSetupBuild@12 + displayName: Package ES - Setup Build + inputs: + disableOutputRedirect: true + - task: PowerShell@2 + displayName: Rationalize Build Platform + inputs: + targetType: inline + script: >- + $Arch = "$(BuildPlatform)" + + If ($Arch -Eq "x86") { $Arch = "Win32" } + + Write-Host "##vso[task.setvariable variable=RationalizedBuildPlatform]${Arch}" + - task: NuGetToolInstaller@1 + displayName: Use NuGet 5.10 + inputs: + versionSpec: 5.10 + - task: NuGetAuthenticate@0 + - task: NuGetCommand@2 + displayName: NuGet custom + inputs: + command: custom + selectOrConfig: config + nugetConfigPath: NuGet.Config + arguments: restore OpenConsole.sln -SolutionDirectory $(Build.SourcesDirectory) + - task: UniversalPackages@0 + displayName: Download terminal-internal Universal Package + inputs: + feedListDownload: 2b3f8893-a6e8-411f-b197-a9e05576da48 + packageListDownload: e82d490c-af86-4733-9dc4-07b772033204 + versionListDownload: $(TerminalInternalPackageVersion) + - task: TouchdownBuildTask@1 + displayName: Download Localization Files + inputs: + teamId: 7105 + authId: $(TouchdownAppId) + authKey: $(TouchdownAppKey) + resourceFilePath: >- + src\cascadia\TerminalApp\Resources\en-US\Resources.resw + + src\cascadia\TerminalControl\Resources\en-US\Resources.resw + + src\cascadia\TerminalConnection\Resources\en-US\Resources.resw + + src\cascadia\TerminalSettingsModel\Resources\en-US\Resources.resw + + src\cascadia\TerminalSettingsEditor\Resources\en-US\Resources.resw + + src\cascadia\WindowsTerminalUniversal\Resources\en-US\Resources.resw + + src\cascadia\CascadiaPackage\Resources\en-US\Resources.resw + appendRelativeDir: true + localizationTarget: false + pseudoSetting: Included + - task: PowerShell@2 + displayName: Move Loc files one level up + inputs: + targetType: inline + script: >- + $Files = Get-ChildItem . -R -Filter 'Resources.resw' | ? FullName -Like '*en-US\*\Resources.resw' + + $Files | % { Move-Item -Verbose $_.Directory $_.Directory.Parent.Parent -EA:Ignore } + pwsh: true # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: Component Detection - # # PREfast and PoliCheck needs Node. Install that first. + # # PREfast and PoliCheck need Node. Install that first. - task: NodeTool@0 - # # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - # - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 - # displayName: 'Run the PREfast SDL Native Rules for MSBuild' - # condition: succeededOrFailed() - # inputs: - # msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln - - # # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - # - task: CopyFiles@1 - # displayName: 'Copy PREfast xml files to SDLNativeRulesDir' - # inputs: - # SourceFolder: '$(Agent.BuildDirectory)' - # Contents: | - # **\*.nativecodeanalysis.xml - # TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + displayName: 'Run the PREfast SDL Native Rules for MSBuild' + condition: succeededOrFailed() + inputs: + msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + + # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + - task: CopyFiles@1 + displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + inputs: + SourceFolder: '$(Agent.BuildDirectory)' + Contents: | + **\*.nativecodeanalysis.xml + TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 displayName: 'Run PoliCheck' @@ -303,15 +382,15 @@ jobs: optionsHMENABLE: 0 continueOnError: true - # - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - # displayName: 'Run CredScan' - # inputs: - # outputFormat: pre - # # suppressionsFile: LocalSuppressions.json - # batchSize: 20 - # debugMode: false - # continueOnError: true - + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + displayName: 'Run CredScan' + inputs: + outputFormat: pre + # suppressionsFile: LocalSuppressions.json + batchSize: 20 + debugMode: false + continueOnError: true + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' @@ -332,13 +411,14 @@ jobs: sourceTargetOverrideAll: $(Build.SourcesDirectory) # Overrides default build binaries directory when "Scan all" option is specified binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin - + # Set the tools to false if they should not run in the build + # MINIKSA NOTE: APPARENTLY CFGCHECK IS DEPRECATED. USE XFGCHECK INSTEAD TO SUPERSEDE IT. tools: - toolName: CheckCFlags enable: true - toolName: CFGCheck - enable: true + enable: false - toolName: Policheck enable: false - toolName: CredScan @@ -346,77 +426,77 @@ jobs: - toolName: XFGCheck enable: true -# - ${{ if eq(parameters.buildTerminal, true) }}: -# - job: BundleAndSign -# displayName: Create and sign AppX/MSIX bundles -# dependsOn: Build -# steps: -# - checkout: self -# clean: true -# submodules: true -# persistCredentials: True -# - task: PkgESSetupBuild@12 -# displayName: Package ES - Setup Build -# inputs: -# disableOutputRedirect: true -# - task: DownloadBuildArtifacts@0 -# displayName: Download Artifacts (*.appx, *.msix) -# inputs: -# downloadType: specific -# itemPattern: >- -# **/*.msix - -# **/*.appx -# extractTars: false -# - task: PowerShell@2 -# displayName: Create WindowsTerminal*.msixbundle -# inputs: -# filePath: build\scripts\Create-AppxBundle.ps1 -# arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName CascadiaPackage -BundleVersion 0.0.0.0 -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" -# - task: PowerShell@2 -# displayName: Create WindowsTerminalUniversal*.msixbundle -# inputs: -# filePath: build\scripts\Create-AppxBundle.ps1 -# arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName WindowsTerminalUniversal -BundleVersion $(XES_APPXMANIFESTVERSION) -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminalUniversal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" -# - task: EsrpCodeSigning@1 -# displayName: Submit *.msixbundle to ESRP for code signing -# inputs: -# ConnectedServiceName: 9d6d2960-0793-4d59-943e-78dcb434840a -# FolderPath: $(System.ArtifactsDirectory) -# Pattern: Microsoft.WindowsTerminal*.msixbundle -# UseMinimatch: true -# signConfigType: inlineSignParams -# inlineOperation: >- -# [ -# { -# "KeyCode": "Dynamic", -# "CertTemplateName": "WINMSAPP1ST", -# "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", -# "OperationCode": "SigntoolSign", -# "Parameters": { -# "OpusName": "Microsoft", -# "OpusInfo": "http://www.microsoft.com", -# "FileDigest": "/fd \"SHA256\"", -# "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" -# }, -# "ToolName": "sign", -# "ToolVersion": "1.0" -# }, -# { -# "KeyCode": "Dynamic", -# "CertTemplateName": "WINMSAPP1ST", -# "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", -# "OperationCode": "SigntoolVerify", -# "Parameters": {}, -# "ToolName": "sign", -# "ToolVersion": "1.0" -# } -# ] -# - task: PublishBuildArtifacts@1 -# displayName: 'Publish Artifact: appxbundle-signed' -# inputs: -# PathtoPublish: $(System.ArtifactsDirectory) -# ArtifactName: appxbundle-signed +- ${{ if eq(parameters.buildTerminal, true) }}: + - job: BundleAndSign + displayName: Create and sign AppX/MSIX bundles + dependsOn: Build + steps: + - checkout: self + clean: true + submodules: true + persistCredentials: True + - task: PkgESSetupBuild@12 + displayName: Package ES - Setup Build + inputs: + disableOutputRedirect: true + - task: DownloadBuildArtifacts@0 + displayName: Download Artifacts (*.appx, *.msix) + inputs: + downloadType: specific + itemPattern: >- + **/*.msix + + **/*.appx + extractTars: false + - task: PowerShell@2 + displayName: Create WindowsTerminal*.msixbundle + inputs: + filePath: build\scripts\Create-AppxBundle.ps1 + arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName CascadiaPackage -BundleVersion 0.0.0.0 -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" + - task: PowerShell@2 + displayName: Create WindowsTerminalUniversal*.msixbundle + inputs: + filePath: build\scripts\Create-AppxBundle.ps1 + arguments: -InputPath "$(System.ArtifactsDirectory)" -ProjectName WindowsTerminalUniversal -BundleVersion $(XES_APPXMANIFESTVERSION) -OutputPath "$(System.ArtifactsDirectory)\Microsoft.WindowsTerminalUniversal_$(XES_APPXMANIFESTVERSION)_8wekyb3d8bbwe.msixbundle" + - task: EsrpCodeSigning@1 + displayName: Submit *.msixbundle to ESRP for code signing + inputs: + ConnectedServiceName: 9d6d2960-0793-4d59-943e-78dcb434840a + FolderPath: $(System.ArtifactsDirectory) + Pattern: Microsoft.WindowsTerminal*.msixbundle + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: >- + [ + { + "KeyCode": "Dynamic", + "CertTemplateName": "WINMSAPP1ST", + "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", + "OperationCode": "SigntoolSign", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "http://www.microsoft.com", + "FileDigest": "/fd \"SHA256\"", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName": "sign", + "ToolVersion": "1.0" + }, + { + "KeyCode": "Dynamic", + "CertTemplateName": "WINMSAPP1ST", + "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", + "OperationCode": "SigntoolVerify", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + } + ] + - task: PublishBuildArtifacts@1 + displayName: 'Publish Artifact: appxbundle-signed' + inputs: + PathtoPublish: $(System.ArtifactsDirectory) + ArtifactName: appxbundle-signed - ${{ if eq(parameters.buildWPF, true) }}: - job: PackageAndSignWPF From a9c80cbc42a45f62c6890d913b0edde1f4a4c9c5 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 13 Dec 2021 12:54:25 -0800 Subject: [PATCH 65/82] a leftover --- build/pipelines/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 5f18af4601c..45bcda46740 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -66,7 +66,6 @@ jobs: displayName: Build timeoutInMinutes: 240 cancelTimeoutInMinutes: 1 - condition: true steps: - checkout: self clean: true From 51b5edd608408ee6273e0bddec2d44013f118bd2 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 13 Dec 2021 12:57:35 -0800 Subject: [PATCH 66/82] syntax error --- build/pipelines/release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 03f3321da14..17e67fed089 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -283,8 +283,9 @@ jobs: # that's the one all the tooling works against for sure. strategy: matrix: - BuildConfiguration: Release - BuildPlatform: x64 + Release_x64: + BuildConfiguration: Release + BuildPlatform: x64 displayName: Validate Security and Compliance steps: - checkout: self From 2b3d732841c8abae30bf83fd2a5ec757eb70dee5 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 13 Dec 2021 13:17:42 -0800 Subject: [PATCH 67/82] its shallow isn't it --- build/pipelines/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 17e67fed089..ee0509fe9cc 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -69,7 +69,6 @@ jobs: steps: - checkout: self clean: true - fetchDepth: 1 submodules: true persistCredentials: True - task: PkgESSetupBuild@12 From b5290a7b993fe6c74b52d75f56dea44c7540cd03 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 13 Dec 2021 13:19:41 -0800 Subject: [PATCH 68/82] flag it on and off --- build/pipelines/release.yml | 299 ++++++++++++++++++------------------ 1 file changed, 152 insertions(+), 147 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index ee0509fe9cc..1717128a228 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -18,6 +18,10 @@ parameters: displayName: "Build Windows Terminal MSIX" type: boolean default: true + - name: runCompliance + displayName: "Run Compliance and Security Build" + type: boolean + default: true - name: buildTerminalVPack displayName: "Build Windows Terminal VPack" type: boolean @@ -275,165 +279,166 @@ jobs: IndexSources: false SymbolServerType: TeamServices -- job: Compliance - # We don't *need* a matrix but there's no other way to set parameters on a "job" - # in the AzDO YAML syntax. It would have to be a "stage" or a "template". - # Doesn't matter. We're going to do compliance on Release x64 because - # that's the one all the tooling works against for sure. - strategy: - matrix: - Release_x64: - BuildConfiguration: Release - BuildPlatform: x64 - displayName: Validate Security and Compliance - steps: - - checkout: self - clean: true - submodules: true - persistCredentials: True - - task: PkgESSetupBuild@12 - displayName: Package ES - Setup Build - inputs: - disableOutputRedirect: true - - task: PowerShell@2 - displayName: Rationalize Build Platform - inputs: - targetType: inline - script: >- - $Arch = "$(BuildPlatform)" +- ${{ if eq(parameters.runCompliance, true) }}: + - job: Compliance + # We don't *need* a matrix but there's no other way to set parameters on a "job" + # in the AzDO YAML syntax. It would have to be a "stage" or a "template". + # Doesn't matter. We're going to do compliance on Release x64 because + # that's the one all the tooling works against for sure. + strategy: + matrix: + Release_x64: + BuildConfiguration: Release + BuildPlatform: x64 + displayName: Validate Security and Compliance + steps: + - checkout: self + clean: true + submodules: true + persistCredentials: True + - task: PkgESSetupBuild@12 + displayName: Package ES - Setup Build + inputs: + disableOutputRedirect: true + - task: PowerShell@2 + displayName: Rationalize Build Platform + inputs: + targetType: inline + script: >- + $Arch = "$(BuildPlatform)" - If ($Arch -Eq "x86") { $Arch = "Win32" } + If ($Arch -Eq "x86") { $Arch = "Win32" } - Write-Host "##vso[task.setvariable variable=RationalizedBuildPlatform]${Arch}" - - task: NuGetToolInstaller@1 - displayName: Use NuGet 5.10 - inputs: - versionSpec: 5.10 - - task: NuGetAuthenticate@0 - - task: NuGetCommand@2 - displayName: NuGet custom - inputs: - command: custom - selectOrConfig: config - nugetConfigPath: NuGet.Config - arguments: restore OpenConsole.sln -SolutionDirectory $(Build.SourcesDirectory) - - task: UniversalPackages@0 - displayName: Download terminal-internal Universal Package - inputs: - feedListDownload: 2b3f8893-a6e8-411f-b197-a9e05576da48 - packageListDownload: e82d490c-af86-4733-9dc4-07b772033204 - versionListDownload: $(TerminalInternalPackageVersion) - - task: TouchdownBuildTask@1 - displayName: Download Localization Files - inputs: - teamId: 7105 - authId: $(TouchdownAppId) - authKey: $(TouchdownAppKey) - resourceFilePath: >- - src\cascadia\TerminalApp\Resources\en-US\Resources.resw + Write-Host "##vso[task.setvariable variable=RationalizedBuildPlatform]${Arch}" + - task: NuGetToolInstaller@1 + displayName: Use NuGet 5.10 + inputs: + versionSpec: 5.10 + - task: NuGetAuthenticate@0 + - task: NuGetCommand@2 + displayName: NuGet custom + inputs: + command: custom + selectOrConfig: config + nugetConfigPath: NuGet.Config + arguments: restore OpenConsole.sln -SolutionDirectory $(Build.SourcesDirectory) + - task: UniversalPackages@0 + displayName: Download terminal-internal Universal Package + inputs: + feedListDownload: 2b3f8893-a6e8-411f-b197-a9e05576da48 + packageListDownload: e82d490c-af86-4733-9dc4-07b772033204 + versionListDownload: $(TerminalInternalPackageVersion) + - task: TouchdownBuildTask@1 + displayName: Download Localization Files + inputs: + teamId: 7105 + authId: $(TouchdownAppId) + authKey: $(TouchdownAppKey) + resourceFilePath: >- + src\cascadia\TerminalApp\Resources\en-US\Resources.resw - src\cascadia\TerminalControl\Resources\en-US\Resources.resw + src\cascadia\TerminalControl\Resources\en-US\Resources.resw - src\cascadia\TerminalConnection\Resources\en-US\Resources.resw + src\cascadia\TerminalConnection\Resources\en-US\Resources.resw - src\cascadia\TerminalSettingsModel\Resources\en-US\Resources.resw + src\cascadia\TerminalSettingsModel\Resources\en-US\Resources.resw - src\cascadia\TerminalSettingsEditor\Resources\en-US\Resources.resw + src\cascadia\TerminalSettingsEditor\Resources\en-US\Resources.resw - src\cascadia\WindowsTerminalUniversal\Resources\en-US\Resources.resw + src\cascadia\WindowsTerminalUniversal\Resources\en-US\Resources.resw - src\cascadia\CascadiaPackage\Resources\en-US\Resources.resw - appendRelativeDir: true - localizationTarget: false - pseudoSetting: Included - - task: PowerShell@2 - displayName: Move Loc files one level up - inputs: - targetType: inline - script: >- - $Files = Get-ChildItem . -R -Filter 'Resources.resw' | ? FullName -Like '*en-US\*\Resources.resw' + src\cascadia\CascadiaPackage\Resources\en-US\Resources.resw + appendRelativeDir: true + localizationTarget: false + pseudoSetting: Included + - task: PowerShell@2 + displayName: Move Loc files one level up + inputs: + targetType: inline + script: >- + $Files = Get-ChildItem . -R -Filter 'Resources.resw' | ? FullName -Like '*en-US\*\Resources.resw' - $Files | % { Move-Item -Verbose $_.Directory $_.Directory.Parent.Parent -EA:Ignore } - pwsh: true + $Files | % { Move-Item -Verbose $_.Directory $_.Directory.Parent.Parent -EA:Ignore } + pwsh: true - # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 - displayName: Component Detection - - # # PREfast and PoliCheck need Node. Install that first. - - task: NodeTool@0 - - # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 - displayName: 'Run the PREfast SDL Native Rules for MSBuild' - condition: succeededOrFailed() - inputs: - msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html + - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: Component Detection + + # # PREfast and PoliCheck need Node. Install that first. + - task: NodeTool@0 + + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + displayName: 'Run the PREfast SDL Native Rules for MSBuild' + condition: succeededOrFailed() + inputs: + msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln - # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - - task: CopyFiles@1 - displayName: 'Copy PREfast xml files to SDLNativeRulesDir' - inputs: - SourceFolder: '$(Agent.BuildDirectory)' - Contents: | - **\*.nativecodeanalysis.xml - TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + - task: CopyFiles@1 + displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + inputs: + SourceFolder: '$(Agent.BuildDirectory)' + Contents: | + **\*.nativecodeanalysis.xml + TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 - displayName: 'Run PoliCheck' - inputs: - targetType: F - targetArgument: $(Build.SourcesDirectory) - result: PoliCheck.xml - optionsFC: 1 - optionsXS: 1 - optionsUEPath: $(Build.SourcesDirectory)\build\config\PolicheckExclusions.xml - optionsHMENABLE: 0 - continueOnError: true - - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - displayName: 'Run CredScan' - inputs: - outputFormat: pre - # suppressionsFile: LocalSuppressions.json - batchSize: 20 - debugMode: false - continueOnError: true - - # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” - displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - - task: PkgESSecComp@10 - displayName: 'Security and Compliance tasks' - inputs: - fileNewBugs: false - areaPath: 'OS\WDX\DXP\WinDev\Terminal' - teamProject: 'OS' - iterationPath: 'OS\Future' - bugTags: 'TerminalReleaseCompliance' - scanAll: true - errOnBugs: false - failOnStdErr: true - taskLogVerbosity: Diagnostic - secCompConfigFromTask: | - # Overrides default build sources directory - sourceTargetOverrideAll: $(Build.SourcesDirectory) - # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin - - # Set the tools to false if they should not run in the build - # MINIKSA NOTE: APPARENTLY CFGCHECK IS DEPRECATED. USE XFGCHECK INSTEAD TO SUPERSEDE IT. - tools: - - toolName: CheckCFlags - enable: true - - toolName: CFGCheck - enable: false - - toolName: Policheck - enable: false - - toolName: CredScan - enable: false - - toolName: XFGCheck - enable: true + - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + displayName: 'Run PoliCheck' + inputs: + targetType: F + targetArgument: $(Build.SourcesDirectory) + result: PoliCheck.xml + optionsFC: 1 + optionsXS: 1 + optionsUEPath: $(Build.SourcesDirectory)\build\config\PolicheckExclusions.xml + optionsHMENABLE: 0 + continueOnError: true + + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + displayName: 'Run CredScan' + inputs: + outputFormat: pre + # suppressionsFile: LocalSuppressions.json + batchSize: 20 + debugMode: false + continueOnError: true + + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” + displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' + - task: PkgESSecComp@10 + displayName: 'Security and Compliance tasks' + inputs: + fileNewBugs: false + areaPath: 'OS\WDX\DXP\WinDev\Terminal' + teamProject: 'OS' + iterationPath: 'OS\Future' + bugTags: 'TerminalReleaseCompliance' + scanAll: true + errOnBugs: false + failOnStdErr: true + taskLogVerbosity: Diagnostic + secCompConfigFromTask: | + # Overrides default build sources directory + sourceTargetOverrideAll: $(Build.SourcesDirectory) + # Overrides default build binaries directory when "Scan all" option is specified + binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin + + # Set the tools to false if they should not run in the build + # MINIKSA NOTE: APPARENTLY CFGCHECK IS DEPRECATED. USE XFGCHECK INSTEAD TO SUPERSEDE IT. + tools: + - toolName: CheckCFlags + enable: true + - toolName: CFGCheck + enable: false + - toolName: Policheck + enable: false + - toolName: CredScan + enable: false + - toolName: XFGCheck + enable: true - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign From 81fc0ff922a668284d086dcfb09f9fac69dbb0e9 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Mon, 13 Dec 2021 14:41:41 -0800 Subject: [PATCH 69/82] flip checks around again --- build/pipelines/release.yml | 4 ++-- src/common.build.pre.props | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 1717128a228..d7bfa442aba 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -432,13 +432,13 @@ jobs: - toolName: CheckCFlags enable: true - toolName: CFGCheck - enable: false + enable: true - toolName: Policheck enable: false - toolName: CredScan enable: false - toolName: XFGCheck - enable: true + enable: false - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign diff --git a/src/common.build.pre.props b/src/common.build.pre.props index 4280cc50627..6348cb6b667 100644 --- a/src/common.build.pre.props +++ b/src/common.build.pre.props @@ -168,12 +168,12 @@ true NDEBUG;%(PreprocessorDefinitions) false - /d1guard:xfg /d2guardxfg %(AdditionalOptions) + %(AdditionalOptions) true true - /debugtype:cv,fixup /guard:cf,xfg %(AdditionalOptions) + /debugtype:cv,fixup %(AdditionalOptions) From 8e7fd8712820a7d3b385f2c462e916012aad0a5a Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 14 Dec 2021 09:02:45 -0800 Subject: [PATCH 70/82] spell check! --- .github/actions/spelling/expect/expect.txt | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/spelling/expect/expect.txt b/.github/actions/spelling/expect/expect.txt index 35da0d7949b..6609373476a 100644 --- a/.github/actions/spelling/expect/expect.txt +++ b/.github/actions/spelling/expect/expect.txt @@ -1797,6 +1797,7 @@ PNTSTATUS POBJECT Podcast POINTSLIST +Poli POLYTEXTW popd POPF From 2cb310d20bd6b10efb44a1ffe803e0ff41adbef1 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 14 Dec 2021 13:12:13 -0800 Subject: [PATCH 71/82] work around compiler crash when working with these lambdas in a macro with static analysis enabled --- .../CascadiaSettings.cpp | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp b/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp index 5c6d91a4d81..b4d4f644712 100644 --- a/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp +++ b/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp @@ -219,6 +219,18 @@ Model::Profile CascadiaSettings::CreateNewProfile() return *newProfile; } +template +static bool isProfilesDefaultsOrigin(const T& profile) +{ + return profile && profile.Origin() != winrt::Microsoft::Terminal::Settings::Model::OriginTag::ProfilesDefaults; +} + +template +static bool isProfilesDefaultsOriginSub(const T& sub) +{ + return sub && isProfilesDefaultsOrigin(sub.SourceProfile()); +} + // Method Description: // - Duplicate a new profile based off another profile's settings // - This differs from Profile::Copy because it also copies over settings @@ -250,14 +262,6 @@ Model::Profile CascadiaSettings::DuplicateProfile(const Model::Profile& source) const auto duplicated = _createNewProfile(newName); - static constexpr auto isProfilesDefaultsOrigin = [](const auto& profile) -> bool { - return profile && profile.Origin() != OriginTag::ProfilesDefaults; - }; - - static constexpr auto isProfilesDefaultsOriginSub = [](const auto& sub) -> bool { - return sub && isProfilesDefaultsOrigin(sub.SourceProfile()); - }; - #define NEEDS_DUPLICATION(settingName) source.Has##settingName() || isProfilesDefaultsOrigin(source.settingName##OverrideSource()) #define NEEDS_DUPLICATION_SUB(source, settingName) source.Has##settingName() || isProfilesDefaultsOriginSub(source.settingName##OverrideSource()) From b461264b1b77e0f6c041c01ab9aa458bc80dee57 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 14 Dec 2021 13:41:44 -0800 Subject: [PATCH 72/82] code format --- src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp b/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp index b4d4f644712..96ecaa9ac51 100644 --- a/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp +++ b/src/cascadia/TerminalSettingsModel/CascadiaSettings.cpp @@ -226,7 +226,7 @@ static bool isProfilesDefaultsOrigin(const T& profile) } template -static bool isProfilesDefaultsOriginSub(const T& sub) +static bool isProfilesDefaultsOriginSub(const T& sub) { return sub && isProfilesDefaultsOrigin(sub.SourceProfile()); } From 7d365e994956e91a2b416f5a611d5e702f8b4450 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 14 Dec 2021 14:26:26 -0800 Subject: [PATCH 73/82] extend timeout --- build/pipelines/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index d7bfa442aba..a386e93bbce 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -291,6 +291,7 @@ jobs: BuildConfiguration: Release BuildPlatform: x64 displayName: Validate Security and Compliance + timeoutInMinutes: 240 steps: - checkout: self clean: true From 5c402deeda7d97b4fda515bc92d8f28fec7082ac Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 14 Dec 2021 15:56:27 -0800 Subject: [PATCH 74/82] back to xfg --- build/pipelines/release.yml | 4 ++-- src/common.build.pre.props | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index a386e93bbce..b752d2f0666 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -433,13 +433,13 @@ jobs: - toolName: CheckCFlags enable: true - toolName: CFGCheck - enable: true + enable: false - toolName: Policheck enable: false - toolName: CredScan enable: false - toolName: XFGCheck - enable: false + enable: true - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign diff --git a/src/common.build.pre.props b/src/common.build.pre.props index 6348cb6b667..da4865da5f9 100644 --- a/src/common.build.pre.props +++ b/src/common.build.pre.props @@ -168,12 +168,12 @@ true NDEBUG;%(PreprocessorDefinitions) false - %(AdditionalOptions) + /d1guard:xfg /d2guardxfg %(AdditionalOptions) true true - /debugtype:cv,fixup %(AdditionalOptions) + /debugtype:cv,fixup /guard:xfg %(AdditionalOptions) From fc7b0097995d1be7a32fe630469327bad9471963 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 14 Dec 2021 16:01:56 -0800 Subject: [PATCH 75/82] add binskim explicitly? --- build/pipelines/release.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index b752d2f0666..53a9861c19e 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -406,6 +406,12 @@ jobs: debugMode: false continueOnError: true + - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 + displayName: 'Run BinSkim' + inputs: + TargetPattern: guardianGlob + AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**.dll;$(Build.SourcesDirectory)\bin\**.exe + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' From 140227db7466ad26c9433c1420f4fccb54dcb788 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 15 Dec 2021 09:36:37 -0800 Subject: [PATCH 76/82] Add a lot of commentary and try to fix binskim search patterns --- build/pipelines/release.yml | 50 +++++++++++++++++++++++++++++++++++-- 1 file changed, 48 insertions(+), 2 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 53a9861c19e..14939a7134c 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -369,7 +369,24 @@ jobs: # # PREfast and PoliCheck need Node. Install that first. - task: NodeTool@0 + # !!! NOTE !!! Run PREfast first. Some of the other tasks are going to run on a completed build. + # PREfast is going to build the code as a part of its analysis and the generated sources + # and output binaries will be sufficient for the rest of the analysis. + # If you disable this, the other tasks won't likely work. You would have to add a build + # step instead that builds the code normally before calling them. + # Also... PREfast will rebuild anyway so that's why we're not running a normal build first. + # Waste of time to build twice. # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + + # The following 1ES tasks all operate completely differently and have a different syntax for usage. + # Most notable is every one of them has a different way of excluding things. + # Go see their 1eswiki.com pages to figure out how to exclude things. + # When writing exclusions, try to make them narrow so when new projects/binaries are added, they + # cause an error here and have to be explicitly pulled out. Don't write an exclusion so broad + # that it will catch other new stuff. + + # https://www.1eswiki.com/wiki/PREfast_Build_Task + # Builds the project with C/C++ static analysis tools to find coding flaws and vulnerabilities - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() @@ -385,6 +402,9 @@ jobs: **\*.nativecodeanalysis.xml TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + # https://www.1eswiki.com/index.php?title=PoliCheck_Build_Task + # Scans the text of source code, comments, and content for terminology that could be sensitive for legal, cultural, or geopolitical reasons. + # (Also finds vulgarities... takes all the fun out of everything.) - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 displayName: 'Run PoliCheck' inputs: @@ -397,6 +417,8 @@ jobs: optionsHMENABLE: 0 continueOnError: true + # https://www.1eswiki.com/wiki/CredScan_Azure_DevOps_Build_Task + # Searches through source code and build outputs for a credential left behind in the open - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 displayName: 'Run CredScan' inputs: @@ -406,15 +428,40 @@ jobs: debugMode: false continueOnError: true + # https://www.1eswiki.com/wiki/BinSkim_Build_Task + # Searches managed and unmanaged binaries for known security vulnerabilities. - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 displayName: 'Run BinSkim' inputs: TargetPattern: guardianGlob - AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**.dll;$(Build.SourcesDirectory)\bin\**.exe + # See https://aka.ms/gdn-globs for how to do match patterns + AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**.dll;$(Build.SourcesDirectory)\bin\**.exe;-:file|**\Microsoft.UI.Xaml.dll;-:file|**\Microsoft.Toolkit.Win32.UI.XamlHost.dll;-:file|**\vcruntime*.dll;-:file|**\vcomp*.dll;-:file|**\vccorlib*.dll;-:file|**\vcamp*.dll;-:file|**\msvcp*.dll;-:file|**\concrt*.dll;-:file|**\TerminalThemeHelpers*.dll;-:file|**\cpprest*.dll + continueOnError: true # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' + + # https://www.osgwiki.com/wiki/Package_ES_Security_and_Compliance + # Does a few things: + # - Ensures that Windows-required compliance tasks are run either inside this task + # or were run as a previous step prior to this one + # (PREfast, PoliCheck, Credscan) + # - Runs Windows-specific compliance tasks inside the task + # + CheckCFlags - ensures that compiler and linker flags meet Windows standards + # + CFGCheck/XFGCheck - ensures that Control Flow Guard (CFG) or + # eXtended Flow Guard (XFG) are enabled on binaries + # NOTE: CFG is deprecated and XFG isn't fully ready yet. + # NOTE2: CFG fails on an XFG'd binary + # - Brokers all security/compliance task logs to "Trust Services Automation (TSA)" (https://aka.ms/tsa) + # which is a system that maps all errors into the appropriate bug database + # template for each organization since they all vary. It should also suppress + # new bugs when one already exists for the product. + # This one is set up to go to the OS repository and use the given parameters + # to file bugs to our AzDO product path. + # If we don't use PkgESSecComp to do this for us, we need to install the TSA task + # ourselves in this pipeline to finalize data upload and bug creation. + # !!! NOTE !!! This task goes *LAST* after any other compliance tasks so it catches their logs - task: PkgESSecComp@10 displayName: 'Security and Compliance tasks' inputs: @@ -434,7 +481,6 @@ jobs: binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin # Set the tools to false if they should not run in the build - # MINIKSA NOTE: APPARENTLY CFGCHECK IS DEPRECATED. USE XFGCHECK INSTEAD TO SUPERSEDE IT. tools: - toolName: CheckCFlags enable: true From 0644e12b9cfa24e7e3664d7e3bab4570dc948bc3 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 15 Dec 2021 09:57:36 -0800 Subject: [PATCH 77/82] adjust binskim pattern --- build/pipelines/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 14939a7134c..93d8d9f384e 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -435,7 +435,7 @@ jobs: inputs: TargetPattern: guardianGlob # See https://aka.ms/gdn-globs for how to do match patterns - AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**.dll;$(Build.SourcesDirectory)\bin\**.exe;-:file|**\Microsoft.UI.Xaml.dll;-:file|**\Microsoft.Toolkit.Win32.UI.XamlHost.dll;-:file|**\vcruntime*.dll;-:file|**\vcomp*.dll;-:file|**\vccorlib*.dll;-:file|**\vcamp*.dll;-:file|**\msvcp*.dll;-:file|**\concrt*.dll;-:file|**\TerminalThemeHelpers*.dll;-:file|**\cpprest*.dll + AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**\*.dll;$(Build.SourcesDirectory)\bin\**\*.exe;-:file|**\Microsoft.UI.Xaml.dll;-:file|**\Microsoft.Toolkit.Win32.UI.XamlHost.dll;-:file|**\vcruntime*.dll;-:file|**\vcomp*.dll;-:file|**\vccorlib*.dll;-:file|**\vcamp*.dll;-:file|**\msvcp*.dll;-:file|**\concrt*.dll;-:file|**\TerminalThemeHelpers*.dll;-:file|**\cpprest*.dll continueOnError: true # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build From b880244755394b0b1b2b5aa07bf2110fe85e9e7f Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 15 Dec 2021 10:08:46 -0800 Subject: [PATCH 78/82] Revert "back to xfg" This reverts commit 5c402deeda7d97b4fda515bc92d8f28fec7082ac. --- build/pipelines/release.yml | 4 ++-- src/common.build.pre.props | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 93d8d9f384e..db72512750a 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -485,13 +485,13 @@ jobs: - toolName: CheckCFlags enable: true - toolName: CFGCheck - enable: false + enable: true - toolName: Policheck enable: false - toolName: CredScan enable: false - toolName: XFGCheck - enable: true + enable: false - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign diff --git a/src/common.build.pre.props b/src/common.build.pre.props index da4865da5f9..6348cb6b667 100644 --- a/src/common.build.pre.props +++ b/src/common.build.pre.props @@ -168,12 +168,12 @@ true NDEBUG;%(PreprocessorDefinitions) false - /d1guard:xfg /d2guardxfg %(AdditionalOptions) + %(AdditionalOptions) true true - /debugtype:cv,fixup /guard:xfg %(AdditionalOptions) + /debugtype:cv,fixup %(AdditionalOptions) From 567a0bab5795324bbcc97248dcf1f706174a9a69 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 15 Dec 2021 11:18:20 -0800 Subject: [PATCH 79/82] note --- build/pipelines/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index db72512750a..f3b3c4bb903 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -387,6 +387,7 @@ jobs: # https://www.1eswiki.com/wiki/PREfast_Build_Task # Builds the project with C/C++ static analysis tools to find coding flaws and vulnerabilities + # !!! WARNING !!! It doesn't work with WAPPROJ packaging projects. Build the sub-projects instead. - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 displayName: 'Run the PREfast SDL Native Rules for MSBuild' condition: succeededOrFailed() From 510b8ddd50ca78dc2af6bef53d8d860a6765beb7 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 15 Dec 2021 12:23:51 -0800 Subject: [PATCH 80/82] spellcheck --- .github/actions/spelling/expect/expect.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/actions/spelling/expect/expect.txt b/.github/actions/spelling/expect/expect.txt index 6609373476a..6ca791465a0 100644 --- a/.github/actions/spelling/expect/expect.txt +++ b/.github/actions/spelling/expect/expect.txt @@ -938,6 +938,7 @@ groupbox gset gsl GTP +guardxfg guc gui guidatom @@ -2818,6 +2819,7 @@ xdy XEncoding xes xff +xfg XFile XFORM XManifest From 40381eb777741fcad30fa759df34fa8971f579d9 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Wed, 15 Dec 2021 13:00:52 -0800 Subject: [PATCH 81/82] need to restore pgo step too --- build/pipelines/release.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index 49f38be400a..f7dde6deac1 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -306,6 +306,16 @@ jobs: inputs: versionSpec: 5.10 - task: NuGetAuthenticate@0 + # In the Microsoft Azure DevOps tenant, NuGetCommand is ambiguous. + # This should be `task: NuGetCommand@2` + - task: 333b11bd-d341-40d9-afcf-b32d5ce6f23b@2 + displayName: Restore NuGet packages for extraneous build actions + inputs: + command: restore + feedsToUse: config + configPath: NuGet.config + restoreSolution: build/packages.config + restoreDirectory: '$(Build.SourcesDirectory)\packages' - task: NuGetCommand@2 displayName: NuGet custom inputs: From c641dee9413032c45376536ce6a50b76b95d1441 Mon Sep 17 00:00:00 2001 From: Michael Niksa Date: Tue, 4 Jan 2022 15:06:00 -0800 Subject: [PATCH 82/82] separate out compliance job, I think? --- build/pipelines/release.yml | 226 +----------------- .../build-console-compliance-job.yml | 224 +++++++++++++++++ 2 files changed, 226 insertions(+), 224 deletions(-) create mode 100644 build/pipelines/templates/build-console-compliance-job.yml diff --git a/build/pipelines/release.yml b/build/pipelines/release.yml index f7dde6deac1..1bcf0c601b8 100644 --- a/build/pipelines/release.yml +++ b/build/pipelines/release.yml @@ -270,230 +270,8 @@ jobs: SymbolServerType: TeamServices - ${{ if eq(parameters.runCompliance, true) }}: - - job: Compliance - # We don't *need* a matrix but there's no other way to set parameters on a "job" - # in the AzDO YAML syntax. It would have to be a "stage" or a "template". - # Doesn't matter. We're going to do compliance on Release x64 because - # that's the one all the tooling works against for sure. - strategy: - matrix: - Release_x64: - BuildConfiguration: Release - BuildPlatform: x64 - displayName: Validate Security and Compliance - timeoutInMinutes: 240 - steps: - - checkout: self - clean: true - submodules: true - persistCredentials: True - - task: PkgESSetupBuild@12 - displayName: Package ES - Setup Build - inputs: - disableOutputRedirect: true - - task: PowerShell@2 - displayName: Rationalize Build Platform - inputs: - targetType: inline - script: >- - $Arch = "$(BuildPlatform)" - - If ($Arch -Eq "x86") { $Arch = "Win32" } - - Write-Host "##vso[task.setvariable variable=RationalizedBuildPlatform]${Arch}" - - task: NuGetToolInstaller@1 - displayName: Use NuGet 5.10 - inputs: - versionSpec: 5.10 - - task: NuGetAuthenticate@0 - # In the Microsoft Azure DevOps tenant, NuGetCommand is ambiguous. - # This should be `task: NuGetCommand@2` - - task: 333b11bd-d341-40d9-afcf-b32d5ce6f23b@2 - displayName: Restore NuGet packages for extraneous build actions - inputs: - command: restore - feedsToUse: config - configPath: NuGet.config - restoreSolution: build/packages.config - restoreDirectory: '$(Build.SourcesDirectory)\packages' - - task: NuGetCommand@2 - displayName: NuGet custom - inputs: - command: custom - selectOrConfig: config - nugetConfigPath: NuGet.Config - arguments: restore OpenConsole.sln -SolutionDirectory $(Build.SourcesDirectory) - - task: UniversalPackages@0 - displayName: Download terminal-internal Universal Package - inputs: - feedListDownload: 2b3f8893-a6e8-411f-b197-a9e05576da48 - packageListDownload: e82d490c-af86-4733-9dc4-07b772033204 - versionListDownload: $(TerminalInternalPackageVersion) - - task: TouchdownBuildTask@1 - displayName: Download Localization Files - inputs: - teamId: 7105 - authId: $(TouchdownAppId) - authKey: $(TouchdownAppKey) - resourceFilePath: >- - src\cascadia\TerminalApp\Resources\en-US\Resources.resw - - src\cascadia\TerminalControl\Resources\en-US\Resources.resw - - src\cascadia\TerminalConnection\Resources\en-US\Resources.resw - - src\cascadia\TerminalSettingsModel\Resources\en-US\Resources.resw - - src\cascadia\TerminalSettingsEditor\Resources\en-US\Resources.resw - - src\cascadia\WindowsTerminalUniversal\Resources\en-US\Resources.resw - - src\cascadia\CascadiaPackage\Resources\en-US\Resources.resw - appendRelativeDir: true - localizationTarget: false - pseudoSetting: Included - - task: PowerShell@2 - displayName: Move Loc files one level up - inputs: - targetType: inline - script: >- - $Files = Get-ChildItem . -R -Filter 'Resources.resw' | ? FullName -Like '*en-US\*\Resources.resw' - - $Files | % { Move-Item -Verbose $_.Directory $_.Directory.Parent.Parent -EA:Ignore } - pwsh: true - - # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html - - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 - displayName: Component Detection - - # # PREfast and PoliCheck need Node. Install that first. - - task: NodeTool@0 - - # !!! NOTE !!! Run PREfast first. Some of the other tasks are going to run on a completed build. - # PREfast is going to build the code as a part of its analysis and the generated sources - # and output binaries will be sufficient for the rest of the analysis. - # If you disable this, the other tasks won't likely work. You would have to add a build - # step instead that builds the code normally before calling them. - # Also... PREfast will rebuild anyway so that's why we're not running a normal build first. - # Waste of time to build twice. - # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task - - # The following 1ES tasks all operate completely differently and have a different syntax for usage. - # Most notable is every one of them has a different way of excluding things. - # Go see their 1eswiki.com pages to figure out how to exclude things. - # When writing exclusions, try to make them narrow so when new projects/binaries are added, they - # cause an error here and have to be explicitly pulled out. Don't write an exclusion so broad - # that it will catch other new stuff. - - # https://www.1eswiki.com/wiki/PREfast_Build_Task - # Builds the project with C/C++ static analysis tools to find coding flaws and vulnerabilities - # !!! WARNING !!! It doesn't work with WAPPROJ packaging projects. Build the sub-projects instead. - - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 - displayName: 'Run the PREfast SDL Native Rules for MSBuild' - condition: succeededOrFailed() - inputs: - msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln - - # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp - - task: CopyFiles@1 - displayName: 'Copy PREfast xml files to SDLNativeRulesDir' - inputs: - SourceFolder: '$(Agent.BuildDirectory)' - Contents: | - **\*.nativecodeanalysis.xml - TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' - - # https://www.1eswiki.com/index.php?title=PoliCheck_Build_Task - # Scans the text of source code, comments, and content for terminology that could be sensitive for legal, cultural, or geopolitical reasons. - # (Also finds vulgarities... takes all the fun out of everything.) - - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 - displayName: 'Run PoliCheck' - inputs: - targetType: F - targetArgument: $(Build.SourcesDirectory) - result: PoliCheck.xml - optionsFC: 1 - optionsXS: 1 - optionsUEPath: $(Build.SourcesDirectory)\build\config\PolicheckExclusions.xml - optionsHMENABLE: 0 - continueOnError: true - - # https://www.1eswiki.com/wiki/CredScan_Azure_DevOps_Build_Task - # Searches through source code and build outputs for a credential left behind in the open - - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 - displayName: 'Run CredScan' - inputs: - outputFormat: pre - # suppressionsFile: LocalSuppressions.json - batchSize: 20 - debugMode: false - continueOnError: true - - # https://www.1eswiki.com/wiki/BinSkim_Build_Task - # Searches managed and unmanaged binaries for known security vulnerabilities. - - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 - displayName: 'Run BinSkim' - inputs: - TargetPattern: guardianGlob - # See https://aka.ms/gdn-globs for how to do match patterns - AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**\*.dll;$(Build.SourcesDirectory)\bin\**\*.exe;-:file|**\Microsoft.UI.Xaml.dll;-:file|**\Microsoft.Toolkit.Win32.UI.XamlHost.dll;-:file|**\vcruntime*.dll;-:file|**\vcomp*.dll;-:file|**\vccorlib*.dll;-:file|**\vcamp*.dll;-:file|**\msvcp*.dll;-:file|**\concrt*.dll;-:file|**\TerminalThemeHelpers*.dll;-:file|**\cpprest*.dll - continueOnError: true - - # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build - - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” - displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' - - # https://www.osgwiki.com/wiki/Package_ES_Security_and_Compliance - # Does a few things: - # - Ensures that Windows-required compliance tasks are run either inside this task - # or were run as a previous step prior to this one - # (PREfast, PoliCheck, Credscan) - # - Runs Windows-specific compliance tasks inside the task - # + CheckCFlags - ensures that compiler and linker flags meet Windows standards - # + CFGCheck/XFGCheck - ensures that Control Flow Guard (CFG) or - # eXtended Flow Guard (XFG) are enabled on binaries - # NOTE: CFG is deprecated and XFG isn't fully ready yet. - # NOTE2: CFG fails on an XFG'd binary - # - Brokers all security/compliance task logs to "Trust Services Automation (TSA)" (https://aka.ms/tsa) - # which is a system that maps all errors into the appropriate bug database - # template for each organization since they all vary. It should also suppress - # new bugs when one already exists for the product. - # This one is set up to go to the OS repository and use the given parameters - # to file bugs to our AzDO product path. - # If we don't use PkgESSecComp to do this for us, we need to install the TSA task - # ourselves in this pipeline to finalize data upload and bug creation. - # !!! NOTE !!! This task goes *LAST* after any other compliance tasks so it catches their logs - - task: PkgESSecComp@10 - displayName: 'Security and Compliance tasks' - inputs: - fileNewBugs: false - areaPath: 'OS\WDX\DXP\WinDev\Terminal' - teamProject: 'OS' - iterationPath: 'OS\Future' - bugTags: 'TerminalReleaseCompliance' - scanAll: true - errOnBugs: false - failOnStdErr: true - taskLogVerbosity: Diagnostic - secCompConfigFromTask: | - # Overrides default build sources directory - sourceTargetOverrideAll: $(Build.SourcesDirectory) - # Overrides default build binaries directory when "Scan all" option is specified - binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin - - # Set the tools to false if they should not run in the build - tools: - - toolName: CheckCFlags - enable: true - - toolName: CFGCheck - enable: true - - toolName: Policheck - enable: false - - toolName: CredScan - enable: false - - toolName: XFGCheck - enable: false - + - template: ./templates/build-console-compliance-job.yml + - ${{ if eq(parameters.buildTerminal, true) }}: - job: BundleAndSign displayName: Create and sign AppX/MSIX bundles diff --git a/build/pipelines/templates/build-console-compliance-job.yml b/build/pipelines/templates/build-console-compliance-job.yml new file mode 100644 index 00000000000..ea42382193f --- /dev/null +++ b/build/pipelines/templates/build-console-compliance-job.yml @@ -0,0 +1,224 @@ +jobs: +- job: Compliance + # We don't *need* a matrix but there's no other way to set parameters on a "job" + # in the AzDO YAML syntax. It would have to be a "stage" or a "template". + # Doesn't matter. We're going to do compliance on Release x64 because + # that's the one all the tooling works against for sure. + strategy: + matrix: + Release_x64: + BuildConfiguration: Release + BuildPlatform: x64 + displayName: Validate Security and Compliance + timeoutInMinutes: 240 + steps: + - checkout: self + clean: true + submodules: true + persistCredentials: True + - task: PkgESSetupBuild@12 + displayName: Package ES - Setup Build + inputs: + disableOutputRedirect: true + - task: PowerShell@2 + displayName: Rationalize Build Platform + inputs: + targetType: inline + script: >- + $Arch = "$(BuildPlatform)" + + If ($Arch -Eq "x86") { $Arch = "Win32" } + + Write-Host "##vso[task.setvariable variable=RationalizedBuildPlatform]${Arch}" + - task: NuGetToolInstaller@1 + displayName: Use NuGet 5.10 + inputs: + versionSpec: 5.10 + - task: NuGetAuthenticate@0 + # In the Microsoft Azure DevOps tenant, NuGetCommand is ambiguous. + # This should be `task: NuGetCommand@2` + - task: 333b11bd-d341-40d9-afcf-b32d5ce6f23b@2 + displayName: Restore NuGet packages for extraneous build actions + inputs: + command: restore + feedsToUse: config + configPath: NuGet.config + restoreSolution: build/packages.config + restoreDirectory: '$(Build.SourcesDirectory)\packages' + - task: NuGetCommand@2 + displayName: NuGet custom + inputs: + command: custom + selectOrConfig: config + nugetConfigPath: NuGet.Config + arguments: restore OpenConsole.sln -SolutionDirectory $(Build.SourcesDirectory) + - task: UniversalPackages@0 + displayName: Download terminal-internal Universal Package + inputs: + feedListDownload: 2b3f8893-a6e8-411f-b197-a9e05576da48 + packageListDownload: e82d490c-af86-4733-9dc4-07b772033204 + versionListDownload: $(TerminalInternalPackageVersion) + - task: TouchdownBuildTask@1 + displayName: Download Localization Files + inputs: + teamId: 7105 + authId: $(TouchdownAppId) + authKey: $(TouchdownAppKey) + resourceFilePath: >- + src\cascadia\TerminalApp\Resources\en-US\Resources.resw + + src\cascadia\TerminalControl\Resources\en-US\Resources.resw + + src\cascadia\TerminalConnection\Resources\en-US\Resources.resw + + src\cascadia\TerminalSettingsModel\Resources\en-US\Resources.resw + + src\cascadia\TerminalSettingsEditor\Resources\en-US\Resources.resw + + src\cascadia\WindowsTerminalUniversal\Resources\en-US\Resources.resw + + src\cascadia\CascadiaPackage\Resources\en-US\Resources.resw + appendRelativeDir: true + localizationTarget: false + pseudoSetting: Included + - task: PowerShell@2 + displayName: Move Loc files one level up + inputs: + targetType: inline + script: >- + $Files = Get-ChildItem . -R -Filter 'Resources.resw' | ? FullName -Like '*en-US\*\Resources.resw' + + $Files | % { Move-Item -Verbose $_.Directory $_.Directory.Parent.Parent -EA:Ignore } + pwsh: true + + # 1ES Component Governance onboarding (Detects open source components). See https://docs.opensource.microsoft.com/tools/cg.html + - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 + displayName: Component Detection + + # # PREfast and PoliCheck need Node. Install that first. + - task: NodeTool@0 + + # !!! NOTE !!! Run PREfast first. Some of the other tasks are going to run on a completed build. + # PREfast is going to build the code as a part of its analysis and the generated sources + # and output binaries will be sufficient for the rest of the analysis. + # If you disable this, the other tasks won't likely work. You would have to add a build + # step instead that builds the code normally before calling them. + # Also... PREfast will rebuild anyway so that's why we're not running a normal build first. + # Waste of time to build twice. + # PREfast. See https://www.1eswiki.com/wiki/SDL_Native_Rules_Build_Task + + # The following 1ES tasks all operate completely differently and have a different syntax for usage. + # Most notable is every one of them has a different way of excluding things. + # Go see their 1eswiki.com pages to figure out how to exclude things. + # When writing exclusions, try to make them narrow so when new projects/binaries are added, they + # cause an error here and have to be explicitly pulled out. Don't write an exclusion so broad + # that it will catch other new stuff. + + # https://www.1eswiki.com/wiki/PREfast_Build_Task + # Builds the project with C/C++ static analysis tools to find coding flaws and vulnerabilities + # !!! WARNING !!! It doesn't work with WAPPROJ packaging projects. Build the sub-projects instead. + - task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@3 + displayName: 'Run the PREfast SDL Native Rules for MSBuild' + condition: succeededOrFailed() + inputs: + msBuildCommandline: msbuild.exe /nologo /m /p:WindowsTerminalOfficialBuild=true /p:WindowsTerminalBranding=${{ parameters.branding }} /p:WindowsTerminalReleaseBuild=true /p:platform=$(BuildPlatform) /p:configuration=$(BuildConfiguration) /t:Terminal\Window\WindowsTerminal /p:VisualStudioVersion=16.0 $(Build.SourcesDirectory)\OpenConsole.sln + + # Copies output from PREfast SDL Native Rules task to expected location for consumption by PkgESSecComp + - task: CopyFiles@1 + displayName: 'Copy PREfast xml files to SDLNativeRulesDir' + inputs: + SourceFolder: '$(Agent.BuildDirectory)' + Contents: | + **\*.nativecodeanalysis.xml + TargetFolder: '$(Agent.BuildDirectory)\_sdt\logs\SDLNativeRules' + + # https://www.1eswiki.com/index.php?title=PoliCheck_Build_Task + # Scans the text of source code, comments, and content for terminology that could be sensitive for legal, cultural, or geopolitical reasons. + # (Also finds vulgarities... takes all the fun out of everything.) + - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 + displayName: 'Run PoliCheck' + inputs: + targetType: F + targetArgument: $(Build.SourcesDirectory) + result: PoliCheck.xml + optionsFC: 1 + optionsXS: 1 + optionsUEPath: $(Build.SourcesDirectory)\build\config\PolicheckExclusions.xml + optionsHMENABLE: 0 + continueOnError: true + + # https://www.1eswiki.com/wiki/CredScan_Azure_DevOps_Build_Task + # Searches through source code and build outputs for a credential left behind in the open + - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 + displayName: 'Run CredScan' + inputs: + outputFormat: pre + # suppressionsFile: LocalSuppressions.json + batchSize: 20 + debugMode: false + continueOnError: true + + # https://www.1eswiki.com/wiki/BinSkim_Build_Task + # Searches managed and unmanaged binaries for known security vulnerabilities. + - task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 + displayName: 'Run BinSkim' + inputs: + TargetPattern: guardianGlob + # See https://aka.ms/gdn-globs for how to do match patterns + AnalyzeTargetGlob: $(Build.SourcesDirectory)\bin\**\*.dll;$(Build.SourcesDirectory)\bin\**\*.exe;-:file|**\Microsoft.UI.Xaml.dll;-:file|**\Microsoft.Toolkit.Win32.UI.XamlHost.dll;-:file|**\vcruntime*.dll;-:file|**\vcomp*.dll;-:file|**\vccorlib*.dll;-:file|**\vcamp*.dll;-:file|**\msvcp*.dll;-:file|**\concrt*.dll;-:file|**\TerminalThemeHelpers*.dll;-:file|**\cpprest*.dll + continueOnError: true + + # Set XES_SERIALPOSTBUILDREADY to run Security and Compliance task once per build + - powershell: Write-Host “##vso[task.setvariable variable=XES_SERIALPOSTBUILDREADY;]true” + displayName: 'Set XES_SERIALPOSTBUILDREADY Vars' + + # https://www.osgwiki.com/wiki/Package_ES_Security_and_Compliance + # Does a few things: + # - Ensures that Windows-required compliance tasks are run either inside this task + # or were run as a previous step prior to this one + # (PREfast, PoliCheck, Credscan) + # - Runs Windows-specific compliance tasks inside the task + # + CheckCFlags - ensures that compiler and linker flags meet Windows standards + # + CFGCheck/XFGCheck - ensures that Control Flow Guard (CFG) or + # eXtended Flow Guard (XFG) are enabled on binaries + # NOTE: CFG is deprecated and XFG isn't fully ready yet. + # NOTE2: CFG fails on an XFG'd binary + # - Brokers all security/compliance task logs to "Trust Services Automation (TSA)" (https://aka.ms/tsa) + # which is a system that maps all errors into the appropriate bug database + # template for each organization since they all vary. It should also suppress + # new bugs when one already exists for the product. + # This one is set up to go to the OS repository and use the given parameters + # to file bugs to our AzDO product path. + # If we don't use PkgESSecComp to do this for us, we need to install the TSA task + # ourselves in this pipeline to finalize data upload and bug creation. + # !!! NOTE !!! This task goes *LAST* after any other compliance tasks so it catches their logs + - task: PkgESSecComp@10 + displayName: 'Security and Compliance tasks' + inputs: + fileNewBugs: false + areaPath: 'OS\WDX\DXP\WinDev\Terminal' + teamProject: 'OS' + iterationPath: 'OS\Future' + bugTags: 'TerminalReleaseCompliance' + scanAll: true + errOnBugs: false + failOnStdErr: true + taskLogVerbosity: Diagnostic + secCompConfigFromTask: | + # Overrides default build sources directory + sourceTargetOverrideAll: $(Build.SourcesDirectory) + # Overrides default build binaries directory when "Scan all" option is specified + binariesTargetOverrideAll: $(Build.SourcesDirectory)\bin + + # Set the tools to false if they should not run in the build + tools: + - toolName: CheckCFlags + enable: true + - toolName: CFGCheck + enable: true + - toolName: Policheck + enable: false + - toolName: CredScan + enable: false + - toolName: XFGCheck + enable: false \ No newline at end of file