From 150d81ec8dad2d6d5db4dbc842d8e49ffceecc99 Mon Sep 17 00:00:00 2001 From: James Truher Date: Tue, 5 Jan 2021 16:07:00 -0800 Subject: [PATCH 01/36] First cut at new release/signing build yml --- .ci/releaseBuild.yml | 153 ++++++++++++++++++ Engine/Engine.csproj | 4 +- Engine/PSScriptAnalyzer.psd1 | 2 +- ...osoft.PowerShell.CrossCompatibility.csproj | 4 +- Rules/Rules.csproj | 4 +- build.ps1 | 10 +- build.psm1 | 18 +++ 7 files changed, 187 insertions(+), 8 deletions(-) create mode 100644 .ci/releaseBuild.yml diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml new file mode 100644 index 000000000..fef4d5d6e --- /dev/null +++ b/.ci/releaseBuild.yml @@ -0,0 +1,153 @@ +name: PSSA-Release-$(Build.BuildId) +trigger: none + +pr: + branches: + include: + - master + - release* + +variables: + DOTNET_CLI_TELEMETRY_OPTOUT: 1 + POWERSHELL_TELEMETRY_OPTOUT: 1 + +resources: + repositories: + - repository: ComplianceRepo + type: github + endpoint: ComplianceGHRepo + name: PowerShell/compliance + ref: master + +stages: +- stage: Build + displayName: Build + pool: + name: Package ES CodeHub Lab E + jobs: + - job: Build_Job + displayName: Build Microsoft.PowerShell.ScriptAnalyzer + variables: + - group: ESRP + steps: + - checkout: self + + - pwsh: | + Set-Location "$(Build.SourcesDirectory)/PSScriptAnalyzer" + ./build.ps1 + Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose + displayName: Execute build + + - pwsh: | + $signSrcPath = "$(Build.SourcesDirectory)/PSScriptAnalyzer/out" + # Set signing src path variable + $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + $signOutPath = "$(Build.SourcesDirectory)/PSScriptAnalyzer/signed" + $null = New-Item -ItemType Directory -Path $signOutPath + # Set signing out path variable + $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + # Set path variable for guardian codesign validation + $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + displayName: Setup variables for signing + + - checkout: ComplianceRepo + + - template: EsrpSign.yml@ComplianceRepo + displayName: "Sign analyzer files" + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signSrcPath) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use + certificateId: "CP-230012" + # use minimatch because we need to exclude the NewtonSoft assembly + useMinimatch: true + # the file pattern to use - exclude NewtonSoft + pattern: | + **\*.psd1 + **\*.psm1 + **\*.ps1xml + **\Microsoft*.dll + + - template: EsrpSign.yml@ComplianceRepo + displayName: "Sign Newtonsoft files with 3rd party cert" + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signSrcPath) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use + # we'll need to change this to the 3rd party cert id + certificateId: "CP-230012" + # the file pattern to use - exclude newtonsoft + pattern: 'Newtonsoft*.dll' + + - pwsh: | + Set-Location "$(Build.SourcesDirectory)/signed" + Get-ChildItem -recurse -file -name | Write-Verbose -Verbose + displayName: Copy signed files + + - pwsh: | + ./build -BuildNupkg + displayName: Create nupkg for publishing + + - publish: "$(signSrcPath)" + artifact: build + displayName: Publish signed files + + - publish: "$(Build.SourcesDirectory)/PSScriptAnalyzer/out" + artifact: build + displayName: publish out directory + +- stage: compliance + displayName: Compliance + dependsOn: Build + jobs: + - job: Compliance_Job + pool: + name: Package ES CodeHub Lab E + steps: + - checkout: self + - checkout: ComplianceRepo + - download: current + artifact: build + + - pwsh: | + Get-ChildItem -Path "$(Pipeline.Workspace)\build" -Recurse + displayName: Capture downloaded artifacts + + - template: script-module-compliance.yml@ComplianceRepo + parameters: + # component-governance + sourceScanPath: '$(Build.SourcesDirectory)/PSScriptAnalyzer' + # credscan + suppressionsFile: '$(Build.SourceDirectory)/PSScriptAnalyzer/tools/ReleaseBuild/CredScan.Suppressions.json' + # TermCheck + optionsRulesDBPath: '' + optionsFTPath: '' + # tsa-upload + codeBaseName: 'PSSA_202004' + # selections + APIScan: false # set to false when not using Windows APIs. + +#- template: template/publish.yml +# parameters: +# stageName: AzArtifactsFeed +# environmentName: +# feedCredential: + +#- template: template/publish.yml +# parameters: +# stageName: NuGet +# environmentName: PSMarkdownRenderNuGetApproval +# feedCredential: NugetOrgPush diff --git a/Engine/Engine.csproj b/Engine/Engine.csproj index 64a07032e..b611b09f1 100644 --- a/Engine/Engine.csproj +++ b/Engine/Engine.csproj @@ -1,10 +1,10 @@  - 1.19.1 + 1.19.2 netcoreapp3.1;net452 Microsoft.Windows.PowerShell.ScriptAnalyzer - 1.19.1 + 1.19.2 Engine Microsoft.Windows.PowerShell.ScriptAnalyzer diff --git a/Engine/PSScriptAnalyzer.psd1 b/Engine/PSScriptAnalyzer.psd1 index 423f8e42b..971fbab53 100644 --- a/Engine/PSScriptAnalyzer.psd1 +++ b/Engine/PSScriptAnalyzer.psd1 @@ -11,7 +11,7 @@ Author = 'Microsoft Corporation' RootModule = 'PSScriptAnalyzer.psm1' # Version number of this module. -ModuleVersion = '1.19.1' +ModuleVersion = '1.19.2' # ID used to uniquely identify this module GUID = 'd6245802-193d-4068-a631-8863a4342a18' diff --git a/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj b/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj index 40e03f2ab..81e58524f 100644 --- a/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj +++ b/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj @@ -1,9 +1,9 @@  - 1.19.1 + 1.19.2 netstandard2.0;net452 - 1.19.1 + 1.19.2 diff --git a/Rules/Rules.csproj b/Rules/Rules.csproj index 2fcf8f225..b8b199f84 100644 --- a/Rules/Rules.csproj +++ b/Rules/Rules.csproj @@ -1,10 +1,10 @@  - 1.19.1 + 1.19.2 netcoreapp3.1;net452 Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules - 1.19.1 + 1.19.2 Rules Microsoft.Windows.PowerShell.ScriptAnalyzer diff --git a/build.ps1 b/build.ps1 index 1f4687b84..23ab938a1 100644 --- a/build.ps1 +++ b/build.ps1 @@ -37,7 +37,11 @@ param( [switch] $Bootstrap, [Parameter(ParameterSetName='BuildAll')] - [switch] $Catalog + [switch] $Catalog, + + [Parameter(ParameterSetName='BuildAll')] + [Parameter(ParameterSetName='BuildOne')] + [switch] $BuildNupkg ) @@ -93,4 +97,8 @@ END { throw "Unexpected parameter set '$setName'" } } + + if ( $BuildNupkg ) { + Start-CreatePackage + } } diff --git a/build.psm1 b/build.psm1 index 8a61674ee..926cc01bb 100644 --- a/build.psm1 +++ b/build.psm1 @@ -756,3 +756,21 @@ function Copy-CrossCompatibilityModule } } } + +# creates the nuget package which can be used for publishing to the gallery +function Start-CreatePackage +{ + try { + $repoPath = [io.path]::GetTempPath() + $repoName = $repoPath.Replace(([io.path]::DirectorySeparatorChar),$null) + $nupkgDir = Join-Path $PSScriptRoot out + $repo = Register-PSRepository -Name $repoName -PublishLocation $repoPath -InstallationPolicy Trusted -SourceLocation $repoPath + Set-Location $nupkgDir + Publish-Module -Path $PWD/PSScriptAnalyzer -Repository $repoName + Copy-Item $repoPath/*.nupkg $nupkgDir + } + finally { + Unregister-PSRepository -Name $repoName + Remove-Item -Recurse $repoPath -WhatIf + } +} From 7943547ee9a84acd586283d6f2fdc477aaa71aa9 Mon Sep 17 00:00:00 2001 From: James Truher Date: Tue, 5 Jan 2021 17:36:56 -0800 Subject: [PATCH 02/36] remove display name from incorrect location --- .ci/releaseBuild.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index fef4d5d6e..002c7454f 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -62,7 +62,6 @@ stages: - checkout: ComplianceRepo - template: EsrpSign.yml@ComplianceRepo - displayName: "Sign analyzer files" parameters: # the folder which contains the binaries to sign buildOutputPath: $(signSrcPath) @@ -80,7 +79,6 @@ stages: **\Microsoft*.dll - template: EsrpSign.yml@ComplianceRepo - displayName: "Sign Newtonsoft files with 3rd party cert" parameters: # the folder which contains the binaries to sign buildOutputPath: $(signSrcPath) From 232cb2850f47668167f33e8198f0d31d6c9c380b Mon Sep 17 00:00:00 2001 From: James Truher Date: Wed, 6 Jan 2021 14:14:24 -0800 Subject: [PATCH 03/36] change paths for changes in build system --- .ci/releaseBuild.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 002c7454f..5af339b2e 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -33,19 +33,21 @@ stages: - checkout: self - pwsh: | - Set-Location "$(Build.SourcesDirectory)/PSScriptAnalyzer" + Get-Location | out-string + Get-ChildItem | out-string + Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" ./build.ps1 Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose displayName: Execute build - pwsh: | - $signSrcPath = "$(Build.SourcesDirectory)/PSScriptAnalyzer/out" + $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" # Set signing src path variable $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" Write-Host "sending " + $vstsCommandString Write-Host "##$vstsCommandString" - $signOutPath = "$(Build.SourcesDirectory)/PSScriptAnalyzer/signed" + $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed" $null = New-Item -ItemType Directory -Path $signOutPath # Set signing out path variable $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" @@ -103,7 +105,7 @@ stages: artifact: build displayName: Publish signed files - - publish: "$(Build.SourcesDirectory)/PSScriptAnalyzer/out" + - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" artifact: build displayName: publish out directory @@ -127,7 +129,7 @@ stages: - template: script-module-compliance.yml@ComplianceRepo parameters: # component-governance - sourceScanPath: '$(Build.SourcesDirectory)/PSScriptAnalyzer' + sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' # credscan suppressionsFile: '$(Build.SourceDirectory)/PSScriptAnalyzer/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck From 21a029a557dcd7a73ca53e7928447026bb181f8c Mon Sep 17 00:00:00 2001 From: James Truher Date: Wed, 6 Jan 2021 14:29:38 -0800 Subject: [PATCH 04/36] add debugging info --- .ci/releaseBuild.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 5af339b2e..6a063573d 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -36,8 +36,7 @@ stages: Get-Location | out-string Get-ChildItem | out-string Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" - ./build.ps1 - Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose + try { ./build.ps1 -Configuration Release } catch { throw $_ } finally { Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose } displayName: Execute build - pwsh: | From daadefcc6366483899b1c50d06fa3d1a8de9db2a Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 09:37:57 -0800 Subject: [PATCH 05/36] Be sure to build all versions --- .ci/releaseBuild.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 6a063573d..d69fb0de5 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -36,7 +36,7 @@ stages: Get-Location | out-string Get-ChildItem | out-string Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" - try { ./build.ps1 -Configuration Release } catch { throw $_ } finally { Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose } + try { ./build.ps1 -Configuration Release -All } catch { throw $_ } finally { Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose } displayName: Execute build - pwsh: | @@ -72,7 +72,7 @@ stages: certificateId: "CP-230012" # use minimatch because we need to exclude the NewtonSoft assembly useMinimatch: true - # the file pattern to use - exclude NewtonSoft + # the file pattern to use - newtonSoft is excluded pattern: | **\*.psd1 **\*.psm1 @@ -87,8 +87,8 @@ stages: signOutputPath: $(signOutPath) # the certificate ID to use # we'll need to change this to the 3rd party cert id - certificateId: "CP-230012" - # the file pattern to use - exclude newtonsoft + certificateId: "CP-231522" + # the file pattern to use - only sign newtonsoft pattern: 'Newtonsoft*.dll' - pwsh: | From 1faf27b74058e996772ba3172cc054332dcff656 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 10:31:08 -0800 Subject: [PATCH 06/36] change debugging code for 'Copy signed files' --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index d69fb0de5..5a0d7e24e 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -92,7 +92,7 @@ stages: pattern: 'Newtonsoft*.dll' - pwsh: | - Set-Location "$(Build.SourcesDirectory)/signed" + Set-Location "$(Build.SourcesDirectory)" Get-ChildItem -recurse -file -name | Write-Verbose -Verbose displayName: Copy signed files From d47c013060a79a3bd953669bf7dcd3ccf4231784 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 10:33:20 -0800 Subject: [PATCH 07/36] be sure to be in the correct location for creating the nupkg --- .ci/releaseBuild.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 5a0d7e24e..fa24cb47c 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -97,6 +97,7 @@ stages: displayName: Copy signed files - pwsh: | + Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" ./build -BuildNupkg displayName: Create nupkg for publishing From fd6d5c2ee1a0d05f75fc0c4dd1fcffaf6dd58c3b Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 12:09:11 -0800 Subject: [PATCH 08/36] Change nupkg building logic --- build.ps1 | 10 ++++------ build.psm1 | 10 ++++------ 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/build.ps1 b/build.ps1 index 23ab938a1..11dc138fa 100644 --- a/build.ps1 +++ b/build.ps1 @@ -39,8 +39,7 @@ param( [Parameter(ParameterSetName='BuildAll')] [switch] $Catalog, - [Parameter(ParameterSetName='BuildAll')] - [Parameter(ParameterSetName='BuildOne')] + [Parameter(ParameterSetName='Package')] [switch] $BuildNupkg ) @@ -89,6 +88,9 @@ END { Install-DotNet return } + "Package" { + Start-CreatePackage + } "Test" { Test-ScriptAnalyzer -InProcess:$InProcess return @@ -97,8 +99,4 @@ END { throw "Unexpected parameter set '$setName'" } } - - if ( $BuildNupkg ) { - Start-CreatePackage - } } diff --git a/build.psm1 b/build.psm1 index 926cc01bb..44d04185b 100644 --- a/build.psm1 +++ b/build.psm1 @@ -761,16 +761,14 @@ function Copy-CrossCompatibilityModule function Start-CreatePackage { try { - $repoPath = [io.path]::GetTempPath() - $repoName = $repoPath.Replace(([io.path]::DirectorySeparatorChar),$null) + $repoName = [guid]::NewGuid().ToString() $nupkgDir = Join-Path $PSScriptRoot out - $repo = Register-PSRepository -Name $repoName -PublishLocation $repoPath -InstallationPolicy Trusted -SourceLocation $repoPath - Set-Location $nupkgDir + $null = Register-PSRepository -Name $repoName -InstallationPolicy Trusted -SourceLocation $nupkgDir + Push-Location $nupkgDir Publish-Module -Path $PWD/PSScriptAnalyzer -Repository $repoName - Copy-Item $repoPath/*.nupkg $nupkgDir } finally { + Pop-Location Unregister-PSRepository -Name $repoName - Remove-Item -Recurse $repoPath -WhatIf } } From 57d4635e2ac1dae0affd071f364a363bbdf205fe Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 13:51:55 -0800 Subject: [PATCH 09/36] make not finding dotnet.exe a non fatal error for loading the module --- build.psm1 | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/build.psm1 b/build.psm1 index 44d04185b..88b36f44a 100644 --- a/build.psm1 +++ b/build.psm1 @@ -708,7 +708,13 @@ function Get-DotnetExe Write-Warning "Could not find dotnet executable" return [String]::Empty } -$script:DotnetExe = Get-DotnetExe + +try { + $script:DotnetExe = Get-DotnetExe +} +catch { + Write-Warning "Could not find dotnet executable" +} # Copies the built PSCompatibilityCollector module to the output destination for PSSA function Copy-CrossCompatibilityModule From 308f923198945c46c2b0e47b4eef67fb1109a252 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 14:59:54 -0800 Subject: [PATCH 10/36] fix path to suppression file --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index fa24cb47c..9e6c71a7a 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -131,7 +131,7 @@ stages: # component-governance sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' # credscan - suppressionsFile: '$(Build.SourceDirectory)/PSScriptAnalyzer/tools/ReleaseBuild/CredScan.Suppressions.json' + suppressionsFile: '$(Build.SourceDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck optionsRulesDBPath: '' optionsFTPath: '' From 2d1f8f4e0ad941e8fcb75245c2e8b2fb5a2a0c6d Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 15:28:10 -0800 Subject: [PATCH 11/36] debugging statements for compliance --- .ci/releaseBuild.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 9e6c71a7a..51eb7ff6f 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -124,9 +124,11 @@ stages: - pwsh: | Get-ChildItem -Path "$(Pipeline.Workspace)\build" -Recurse + Get-Location + Get-ChildItem -Recurse -File -Name displayName: Capture downloaded artifacts - - template: script-module-compliance.yml@ComplianceRepo + - template: assembly-module-compliance.yml@ComplianceRepo parameters: # component-governance sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' From 5495b95f38bf82908579550427995c930231b786 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 16:13:37 -0800 Subject: [PATCH 12/36] fix typo for credscan suppressions Add binskim scan directory --- .ci/releaseBuild.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 51eb7ff6f..0c5bfe93b 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -132,8 +132,10 @@ stages: parameters: # component-governance sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' + # binskim + AnalyzeTarget: '$(Pipeline.Workspace)\build\PSScriptAnalyzer' # credscan - suppressionsFile: '$(Build.SourceDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' + suppressionsFile: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck optionsRulesDBPath: '' optionsFTPath: '' From b535c722787e8b93509a92b7b61ecfd1305ed5c2 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 16:45:40 -0800 Subject: [PATCH 13/36] Update to publish build directory Also publish nupkg directly from signed directory --- .ci/releaseBuild.yml | 4 ++++ build.ps1 | 7 +++++-- build.psm1 | 9 ++++++++- 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 0c5bfe93b..a52f06d05 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -101,6 +101,10 @@ stages: ./build -BuildNupkg displayName: Create nupkg for publishing + - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" + artifact: build + displayName: publish build directory + - publish: "$(signSrcPath)" artifact: build displayName: Publish signed files diff --git a/build.ps1 b/build.ps1 index 11dc138fa..4f537214a 100644 --- a/build.ps1 +++ b/build.ps1 @@ -40,7 +40,10 @@ param( [switch] $Catalog, [Parameter(ParameterSetName='Package')] - [switch] $BuildNupkg + [switch] $BuildNupkg, + + [Parameter(ParameterSetName='Package')] + [switch] $Signed ) @@ -89,7 +92,7 @@ END { return } "Package" { - Start-CreatePackage + Start-CreatePackage -signed:$Signed } "Test" { Test-ScriptAnalyzer -InProcess:$InProcess diff --git a/build.psm1 b/build.psm1 index 88b36f44a..601e8b3e7 100644 --- a/build.psm1 +++ b/build.psm1 @@ -766,9 +766,16 @@ function Copy-CrossCompatibilityModule # creates the nuget package which can be used for publishing to the gallery function Start-CreatePackage { + param ( [switch]$signed ) try { + if ( $signed ) { + $buildRoot = "signed" + } + else { + $buildRoot = "out" + } $repoName = [guid]::NewGuid().ToString() - $nupkgDir = Join-Path $PSScriptRoot out + $nupkgDir = Join-Path $PSScriptRoot $buildRoot $null = Register-PSRepository -Name $repoName -InstallationPolicy Trusted -SourceLocation $nupkgDir Push-Location $nupkgDir Publish-Module -Path $PWD/PSScriptAnalyzer -Repository $repoName From caf23fad9d65c6a05629f0be46432b32ab0448b5 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 17:26:41 -0800 Subject: [PATCH 14/36] Be sure to publish the build directory and don't publish the out directory, publishing the signed directory is enough --- .ci/releaseBuild.yml | 9 +++------ build.psm1 | 1 + 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index a52f06d05..3d875da12 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -98,21 +98,18 @@ stages: - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" - ./build -BuildNupkg + ./build -BuildNupkg -signed displayName: Create nupkg for publishing - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" artifact: build displayName: publish build directory - - publish: "$(signSrcPath)" + # the signed files are the files used to create the nupkg + - publish: "$(signOutPath)" artifact: build displayName: Publish signed files - - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" - artifact: build - displayName: publish out directory - - stage: compliance displayName: Compliance dependsOn: Build diff --git a/build.psm1 b/build.psm1 index 601e8b3e7..05e437040 100644 --- a/build.psm1 +++ b/build.psm1 @@ -774,6 +774,7 @@ function Start-CreatePackage else { $buildRoot = "out" } + wait-debugger $repoName = [guid]::NewGuid().ToString() $nupkgDir = Join-Path $PSScriptRoot $buildRoot $null = Register-PSRepository -Name $repoName -InstallationPolicy Trusted -SourceLocation $nupkgDir From f9231e5a9982dd4161de44cb072ee1081ef1e6e6 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 17:51:09 -0800 Subject: [PATCH 15/36] published signed files need their own name --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 3d875da12..bf5a5574c 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -107,7 +107,7 @@ stages: # the signed files are the files used to create the nupkg - publish: "$(signOutPath)" - artifact: build + artifact: signed displayName: Publish signed files - stage: compliance From 91e0921736782a2860e5f47916a16e6427dab2ee Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 7 Jan 2021 19:26:32 -0800 Subject: [PATCH 16/36] add exception for README.md for cred scanner Fix up path for binskim --- .ci/releaseBuild.yml | 2 +- tools/releaseBuild/CredScan.Suppressions.json | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index bf5a5574c..f539124f0 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -134,7 +134,7 @@ stages: # component-governance sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' # binskim - AnalyzeTarget: '$(Pipeline.Workspace)\build\PSScriptAnalyzer' + AnalyzeTarget: '$(Pipeline.Workspace)\build' # credscan suppressionsFile: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck diff --git a/tools/releaseBuild/CredScan.Suppressions.json b/tools/releaseBuild/CredScan.Suppressions.json index 53b49888f..0a0e5db11 100644 --- a/tools/releaseBuild/CredScan.Suppressions.json +++ b/tools/releaseBuild/CredScan.Suppressions.json @@ -1,6 +1,8 @@ { "tool": "Credential Scanner", "suppressions": [ + { "file": "\\README.md", + "_justification": "The file refers to passwords but has no actual passwords" }, { "file": "\\Engine\\Settings\\desktop-4.0-windows.json", "_justification": "The file contains the list of all parameters of a cmdlet but no passwords are actually present." }, { "file": "\\Engine\\Settings\\desktop-3.0-windows.json", From 7fafc464ee5c58b4b7b765928cbbd41e303bc31d Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 09:01:35 -0800 Subject: [PATCH 17/36] try to get binskim to work with more direct path to assemblies --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index f539124f0..1f6559b6b 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -134,7 +134,7 @@ stages: # component-governance sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' # binskim - AnalyzeTarget: '$(Pipeline.Workspace)\build' + AnalyzeTarget: '$(Pipeline.Workspace)\build\bin\PSV7Release\netcoreapp3.1\*.dll' # credscan suppressionsFile: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck From 484c051bb9d46b98f910792bcee3067ac4d1fb74 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 10:35:24 -0800 Subject: [PATCH 18/36] debugging to find issues with signing files --- .ci/releaseBuild.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 1f6559b6b..db4632300 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -105,10 +105,19 @@ stages: artifact: build displayName: publish build directory + - publish: "$(System.ArtifactsDirectory)/signed" + artifact: signedartifacts + displayName: publish signed artifacts + # the signed files are the files used to create the nupkg - publish: "$(signOutPath)" artifact: signed displayName: Publish signed files + + # publish separately the nuget package + - publish: "$(signOutPath)\*.nupkg" + artifact: module + displayName: Publish module nupkg - stage: compliance displayName: Compliance From 8a6aeb2dbe48e44f1b405fe3aaf5f7ecea52f5f8 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 10:36:50 -0800 Subject: [PATCH 19/36] fix typo --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index db4632300..1e99bbb37 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -115,7 +115,7 @@ stages: displayName: Publish signed files # publish separately the nuget package - - publish: "$(signOutPath)\*.nupkg" + - publish: "$(signOutPath)/*.nupkg" artifact: module displayName: Publish module nupkg From 0794d190dff6df307a741680a3d15357a7d03d84 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 10:54:01 -0800 Subject: [PATCH 20/36] more debugging --- .ci/releaseBuild.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 1e99bbb37..e478d5d77 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -94,7 +94,7 @@ stages: - pwsh: | Set-Location "$(Build.SourcesDirectory)" Get-ChildItem -recurse -file -name | Write-Verbose -Verbose - displayName: Copy signed files + displayName: get file list - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" @@ -105,9 +105,9 @@ stages: artifact: build displayName: publish build directory - - publish: "$(System.ArtifactsDirectory)/signed" - artifact: signedartifacts - displayName: publish signed artifacts + - publish: "$(System.ArtifactsDirectory)" + artifact: artifacts + displayName: publish artifacts # the signed files are the files used to create the nupkg - publish: "$(signOutPath)" From 39edbf640fa76ad820919f13e6b8497429a0e1b2 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 11:06:14 -0800 Subject: [PATCH 21/36] remove debugging --- build.psm1 | 1 - 1 file changed, 1 deletion(-) diff --git a/build.psm1 b/build.psm1 index 05e437040..601e8b3e7 100644 --- a/build.psm1 +++ b/build.psm1 @@ -774,7 +774,6 @@ function Start-CreatePackage else { $buildRoot = "out" } - wait-debugger $repoName = [guid]::NewGuid().ToString() $nupkgDir = Join-Path $PSScriptRoot $buildRoot $null = Register-PSRepository -Name $repoName -InstallationPolicy Trusted -SourceLocation $nupkgDir From a55814b00f47ef9264c4c6c70e756db8fd0153e5 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 11:19:38 -0800 Subject: [PATCH 22/36] remove publish of nupkg --- .ci/releaseBuild.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index e478d5d77..0e1e1ad3a 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -114,11 +114,6 @@ stages: artifact: signed displayName: Publish signed files - # publish separately the nuget package - - publish: "$(signOutPath)/*.nupkg" - artifact: module - displayName: Publish module nupkg - - stage: compliance displayName: Compliance dependsOn: Build From 275cbf20917bb7a2504f252bf0cf244061791339 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 11:44:53 -0800 Subject: [PATCH 23/36] remove newtonsoft signing stage --- .ci/releaseBuild.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 0e1e1ad3a..98be45c12 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -79,17 +79,17 @@ stages: **\*.ps1xml **\Microsoft*.dll - - template: EsrpSign.yml@ComplianceRepo - parameters: - # the folder which contains the binaries to sign - buildOutputPath: $(signSrcPath) - # the location to put the signed output - signOutputPath: $(signOutPath) - # the certificate ID to use - # we'll need to change this to the 3rd party cert id - certificateId: "CP-231522" - # the file pattern to use - only sign newtonsoft - pattern: 'Newtonsoft*.dll' +# - template: EsrpSign.yml@ComplianceRepo +# parameters: +# # the folder which contains the binaries to sign +# buildOutputPath: $(signSrcPath) +# # the location to put the signed output +# signOutputPath: $(signOutPath) +# # the certificate ID to use +# # we'll need to change this to the 3rd party cert id +# certificateId: "CP-231522" +# # the file pattern to use - only sign newtonsoft +# pattern: 'Newtonsoft*.dll' - pwsh: | Set-Location "$(Build.SourcesDirectory)" From 3dab1f91046e9daf5d509c401727f80e4fd93fc3 Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 13:01:44 -0800 Subject: [PATCH 24/36] try the newton soft signing again --- .ci/releaseBuild.yml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 98be45c12..71c5b2578 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -79,17 +79,19 @@ stages: **\*.ps1xml **\Microsoft*.dll -# - template: EsrpSign.yml@ComplianceRepo -# parameters: -# # the folder which contains the binaries to sign -# buildOutputPath: $(signSrcPath) -# # the location to put the signed output -# signOutputPath: $(signOutPath) -# # the certificate ID to use -# # we'll need to change this to the 3rd party cert id -# certificateId: "CP-231522" -# # the file pattern to use - only sign newtonsoft -# pattern: 'Newtonsoft*.dll' + - template: EsrpSign.yml@ComplianceRepo + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signSrcPath) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use + # we'll need to change this to the 3rd party cert id + certificateId: "CP-231522" + # the file pattern to use - only sign newtonsoft + pattern: 'Newtonsoft*.dll' + # don't copy the unsigned files + alwaysCopy: false - pwsh: | Set-Location "$(Build.SourcesDirectory)" From 29e870d54e1f2a80863841a80c08f648b74361ca Mon Sep 17 00:00:00 2001 From: James Truher Date: Fri, 8 Jan 2021 14:20:03 -0800 Subject: [PATCH 25/36] disable newtonsoft signing --- .ci/releaseBuild.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 71c5b2578..d3139aa3e 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -79,19 +79,19 @@ stages: **\*.ps1xml **\Microsoft*.dll - - template: EsrpSign.yml@ComplianceRepo - parameters: - # the folder which contains the binaries to sign - buildOutputPath: $(signSrcPath) - # the location to put the signed output - signOutputPath: $(signOutPath) - # the certificate ID to use - # we'll need to change this to the 3rd party cert id - certificateId: "CP-231522" - # the file pattern to use - only sign newtonsoft - pattern: 'Newtonsoft*.dll' - # don't copy the unsigned files - alwaysCopy: false +# - template: EsrpSign.yml@ComplianceRepo +# parameters: +# # the folder which contains the binaries to sign +# buildOutputPath: $(signSrcPath) +# # the location to put the signed output +# signOutputPath: $(signOutPath) +# # the certificate ID to use +# # we'll need to change this to the 3rd party cert id +# certificateId: "CP-231522" +# # the file pattern to use - only sign newtonsoft +# pattern: 'Newtonsoft*.dll' +# # don't copy the unsigned files +# alwaysCopy: false - pwsh: | Set-Location "$(Build.SourcesDirectory)" From 5e0a1de163f16cedd92449f79733b0d6bf2d8056 Mon Sep 17 00:00:00 2001 From: James Truher Date: Mon, 11 Jan 2021 11:57:24 -0800 Subject: [PATCH 26/36] try a 2 step process for signing --- .ci/releaseBuild.yml | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index d3139aa3e..c1c892abb 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -46,6 +46,13 @@ stages: Write-Host "sending " + $vstsCommandString Write-Host "##$vstsCommandString" + $signOutStep1 = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Step1" + $null = New-Item -ItemType Directory -Path $signOutStep1 + # Set signing out path variable + $vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed" $null = New-Item -ItemType Directory -Path $signOutPath # Set signing out path variable @@ -67,7 +74,7 @@ stages: # the folder which contains the binaries to sign buildOutputPath: $(signSrcPath) # the location to put the signed output - signOutputPath: $(signOutPath) + signOutputPath: $(signOutStep1) # the certificate ID to use certificateId: "CP-230012" # use minimatch because we need to exclude the NewtonSoft assembly @@ -79,19 +86,17 @@ stages: **\*.ps1xml **\Microsoft*.dll -# - template: EsrpSign.yml@ComplianceRepo -# parameters: -# # the folder which contains the binaries to sign -# buildOutputPath: $(signSrcPath) -# # the location to put the signed output -# signOutputPath: $(signOutPath) -# # the certificate ID to use -# # we'll need to change this to the 3rd party cert id -# certificateId: "CP-231522" -# # the file pattern to use - only sign newtonsoft -# pattern: 'Newtonsoft*.dll' -# # don't copy the unsigned files -# alwaysCopy: false + - template: EsrpSign.yml@ComplianceRepo + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signOutStep1) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use + # we'll need to change this to the 3rd party cert id + certificateId: "CP-231522" + # the file pattern to use - only sign newtonsoft + pattern: 'Newtonsoft*.dll' - pwsh: | Set-Location "$(Build.SourcesDirectory)" From f0d5e1cf17f7f82994298ce2e0b04e9ab5555e52 Mon Sep 17 00:00:00 2001 From: James Truher Date: Mon, 11 Jan 2021 15:59:15 -0800 Subject: [PATCH 27/36] remove most of the debugging code Also try to publish just the nupkg --- .ci/releaseBuild.yml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index c1c892abb..14012fdaa 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -33,10 +33,8 @@ stages: - checkout: self - pwsh: | - Get-Location | out-string - Get-ChildItem | out-string Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" - try { ./build.ps1 -Configuration Release -All } catch { throw $_ } finally { Get-ChildItem -Recurse -File -Name | Write-Verbose -Verbose } + try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build - pwsh: | @@ -98,11 +96,6 @@ stages: # the file pattern to use - only sign newtonsoft pattern: 'Newtonsoft*.dll' - - pwsh: | - Set-Location "$(Build.SourcesDirectory)" - Get-ChildItem -recurse -file -name | Write-Verbose -Verbose - displayName: get file list - - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" ./build -BuildNupkg -signed @@ -112,14 +105,10 @@ stages: artifact: build displayName: publish build directory - - publish: "$(System.ArtifactsDirectory)" - artifact: artifacts - displayName: publish artifacts - # the signed files are the files used to create the nupkg - - publish: "$(signOutPath)" - artifact: signed - displayName: Publish signed files + - publish: "$(signOutPath)/**/*.nupkg" + artifact: nupkg + displayName: Publish signed nupkg - stage: compliance displayName: Compliance From bb976f7597e1322b737f39f472d5f56107baaf99 Mon Sep 17 00:00:00 2001 From: James Truher Date: Mon, 11 Jan 2021 16:30:39 -0800 Subject: [PATCH 28/36] calculate version and publish nupkg --- .ci/releaseBuild.yml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 14012fdaa..5144e432d 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -63,6 +63,14 @@ stages: Write-Host "sending " + $vstsCommandString Write-Host "##$vstsCommandString" + # Get version and create a variable + $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" + $moduleVersion = $moduleData.ModuleVersion + $vstsCommandString = "vso[task.setvariable variable variable=MODULE_VERSION]$moduleVersion" + Write-Host "sending " + $vstsCommandString + Write-Host "##$vstsCommandString" + + displayName: Setup variables for signing - checkout: ComplianceRepo @@ -105,10 +113,10 @@ stages: artifact: build displayName: publish build directory - # the signed files are the files used to create the nupkg - - publish: "$(signOutPath)/**/*.nupkg" + # export the nupkg only + - publish: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" artifact: nupkg - displayName: Publish signed nupkg + displayName: Publish module nupkg - stage: compliance displayName: Compliance From 7f550321db2e285b395f101723286964c0c37456 Mon Sep 17 00:00:00 2001 From: James Truher Date: Mon, 11 Jan 2021 16:39:17 -0800 Subject: [PATCH 29/36] fix 1 for module version --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 5144e432d..67438449c 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -66,7 +66,7 @@ stages: # Get version and create a variable $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" $moduleVersion = $moduleData.ModuleVersion - $vstsCommandString = "vso[task.setvariable variable variable=MODULE_VERSION]$moduleVersion" + $vstsCommandString = "vso[task.setvariable variable variable=moduleVersion]${moduleVersion}" Write-Host "sending " + $vstsCommandString Write-Host "##$vstsCommandString" From a66cb27114a9b8b12a963ce809ade0d3acda54cf Mon Sep 17 00:00:00 2001 From: James Truher Date: Mon, 11 Jan 2021 16:40:24 -0800 Subject: [PATCH 30/36] typo for module version --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 67438449c..be5414079 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -66,7 +66,7 @@ stages: # Get version and create a variable $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" $moduleVersion = $moduleData.ModuleVersion - $vstsCommandString = "vso[task.setvariable variable variable=moduleVersion]${moduleVersion}" + $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" Write-Host "sending " + $vstsCommandString Write-Host "##$vstsCommandString" From 2f1cf423fb23088e6a753f1bda42458c17da37bb Mon Sep 17 00:00:00 2001 From: James Truher Date: Tue, 12 Jan 2021 14:43:08 -0800 Subject: [PATCH 31/36] Add a lot of comments to the yaml --- .ci/releaseBuild.yml | 53 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 43 insertions(+), 10 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index be5414079..3441b87a5 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -1,4 +1,7 @@ +# The name of the build that will be seen in mscodehub name: PSSA-Release-$(Build.BuildId) +# how is the build triggered +# since this is a release build, no trigger as it's a manual release trigger: none pr: @@ -7,18 +10,26 @@ pr: - master - release* +# variables to set in the build environment variables: DOTNET_CLI_TELEMETRY_OPTOUT: 1 POWERSHELL_TELEMETRY_OPTOUT: 1 +# since this build relies on templates, we need access to those +# This needs a service connection in the build to work +# the *name* of the service connection must be the same as the endpoint resources: repositories: - repository: ComplianceRepo type: github endpoint: ComplianceGHRepo name: PowerShell/compliance + # this can be any branch of your choosing ref: master +# the stages in this build. There are 2 +# the assumption for script analyzer is that test is done as part of +# CI so we needn't do it here stages: - stage: Build displayName: Build @@ -27,16 +38,21 @@ stages: jobs: - job: Build_Job displayName: Build Microsoft.PowerShell.ScriptAnalyzer + # note the variable reference to ESRP. + # this must be created in Project -> Pipelines -> Library -> VariableGroups + # where it describes the link to the SigningServer variables: - group: ESRP steps: - checkout: self + # the steps for building the module go here - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" try { ./build.ps1 -Configuration Release -All } catch { throw $_ } displayName: Execute build + # these are setting vso variables which will be persisted between stages - pwsh: | $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" # Set signing src path variable @@ -73,8 +89,15 @@ stages: displayName: Setup variables for signing + # checkout the Compliance repository so it can be used to do the actual signing - checkout: ComplianceRepo + # in script analyzer, we must sign with 2 different certs + # the normal cert for MS created items and the 3rd party cert + # this the MS authored step + # Because this needs 2 certs, we do it in 2 steps. + # the first step signs the binaries and puts them in a staging directory which + # will then be used for the second step. - template: EsrpSign.yml@ComplianceRepo parameters: # the folder which contains the binaries to sign @@ -92,6 +115,11 @@ stages: **\*.ps1xml **\Microsoft*.dll + # this is the second step of the signing. + # note that the buildOutputPath (where we get the files to sign) + # is the same as the signOutputPath in the previous step + # at the end of this step we will have all the files signed that should be + # signOutPath is the location which contains the files we will use to make the module - template: EsrpSign.yml@ComplianceRepo parameters: # the folder which contains the binaries to sign @@ -104,20 +132,26 @@ stages: # the file pattern to use - only sign newtonsoft pattern: 'Newtonsoft*.dll' + # now create the nupkg which we will use to publish the module + # to the powershell gallery (not part of this yaml) - pwsh: | Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" ./build -BuildNupkg -signed displayName: Create nupkg for publishing + # finally publish the parts of the build which will be used in the next stages + # if it's not published, the subsequent stages will not be able to access it. + # This is the build directory (it contains all of the dll/pdb files) - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA" artifact: build displayName: publish build directory - # export the nupkg only + # export the nupkg only which will be used in the release pipeline - publish: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg" artifact: nupkg displayName: Publish module nupkg +# Now on to the compliance stage - stage: compliance displayName: Compliance dependsOn: Build @@ -131,24 +165,23 @@ stages: - download: current artifact: build - - pwsh: | - Get-ChildItem -Path "$(Pipeline.Workspace)\build" -Recurse - Get-Location - Get-ChildItem -Recurse -File -Name - displayName: Capture downloaded artifacts - + # use the templates in the compliance repo + # since script analyzer has modules, we're using the assembly-module-compliance template + # if you don't have assemblies, you should use script-module-compliance template - template: assembly-module-compliance.yml@ComplianceRepo parameters: - # component-governance + # component-governance - the path to sources sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA' - # binskim + # binskim - this isn't recursive, so you need the path to the assemblies AnalyzeTarget: '$(Pipeline.Workspace)\build\bin\PSV7Release\netcoreapp3.1\*.dll' - # credscan + # credscan - scan the repo for credentials + # you can suppress some files with this. suppressionsFile: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json' # TermCheck optionsRulesDBPath: '' optionsFTPath: '' # tsa-upload + # the compliance scanning must be uploaded, which you need to request codeBaseName: 'PSSA_202004' # selections APIScan: false # set to false when not using Windows APIs. From b6415c310be205d653a1379d93391544dc8d58df Mon Sep 17 00:00:00 2001 From: James Truher Date: Wed, 13 Jan 2021 13:43:32 -0800 Subject: [PATCH 32/36] suppress warnings for using PSRepository cmdlets --- build.psm1 | 1 + 1 file changed, 1 insertion(+) diff --git a/build.psm1 b/build.psm1 index 601e8b3e7..d7a7347f3 100644 --- a/build.psm1 +++ b/build.psm1 @@ -766,6 +766,7 @@ function Copy-CrossCompatibilityModule # creates the nuget package which can be used for publishing to the gallery function Start-CreatePackage { + [System.Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseCompatibleCommands', '')] param ( [switch]$signed ) try { if ( $signed ) { From 43935ad1294feb1b25f1ba415781f57b91b2e506 Mon Sep 17 00:00:00 2001 From: James Truher Date: Wed, 10 Feb 2021 13:56:48 -0800 Subject: [PATCH 33/36] bump version to 1.20.0 --- Engine/Engine.csproj | 4 ++-- Engine/PSScriptAnalyzer.psd1 | 2 +- .../Microsoft.PowerShell.CrossCompatibility.csproj | 4 ++-- Rules/Rules.csproj | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/Engine/Engine.csproj b/Engine/Engine.csproj index b611b09f1..debb7c4ef 100644 --- a/Engine/Engine.csproj +++ b/Engine/Engine.csproj @@ -1,10 +1,10 @@  - 1.19.2 + 1.20.0 netcoreapp3.1;net452 Microsoft.Windows.PowerShell.ScriptAnalyzer - 1.19.2 + 1.20.0 Engine Microsoft.Windows.PowerShell.ScriptAnalyzer diff --git a/Engine/PSScriptAnalyzer.psd1 b/Engine/PSScriptAnalyzer.psd1 index 971fbab53..16eeb90ae 100644 --- a/Engine/PSScriptAnalyzer.psd1 +++ b/Engine/PSScriptAnalyzer.psd1 @@ -11,7 +11,7 @@ Author = 'Microsoft Corporation' RootModule = 'PSScriptAnalyzer.psm1' # Version number of this module. -ModuleVersion = '1.19.2' +ModuleVersion = '1.20.0' # ID used to uniquely identify this module GUID = 'd6245802-193d-4068-a631-8863a4342a18' diff --git a/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj b/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj index 81e58524f..6cbdf655d 100644 --- a/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj +++ b/PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj @@ -1,9 +1,9 @@  - 1.19.2 + 1.20.0 netstandard2.0;net452 - 1.19.2 + 1.20.0 diff --git a/Rules/Rules.csproj b/Rules/Rules.csproj index b8b199f84..157f4467d 100644 --- a/Rules/Rules.csproj +++ b/Rules/Rules.csproj @@ -1,10 +1,10 @@  - 1.19.2 + 1.20.0 netcoreapp3.1;net452 Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules - 1.19.2 + 1.20.0 Rules Microsoft.Windows.PowerShell.ScriptAnalyzer From debd5fca3f90b40d6fecc29caa5d34f24ffef594 Mon Sep 17 00:00:00 2001 From: James Truher Date: Thu, 11 Feb 2021 13:46:39 -0800 Subject: [PATCH 34/36] change to use allowlist in documentation and tests --- RuleDocumentation/AvoidUsingCmdletAliases.md | 2 +- Tests/Engine/Settings.tests.ps1 | 14 +++++++------- .../Issue828/PSScriptAnalyzerSettings.psd1 | 4 ++-- .../SettingsTest/Project1/ExplicitSettings.psd1 | 2 +- Tests/Rules/AvoidUsingAlias.tests.ps1 | 4 ++-- Tests/Rules/TestSettings/AvoidAliasSettings.psd1 | 4 ++-- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/RuleDocumentation/AvoidUsingCmdletAliases.md b/RuleDocumentation/AvoidUsingCmdletAliases.md index a19cc32ef..46fcd2f2a 100644 --- a/RuleDocumentation/AvoidUsingCmdletAliases.md +++ b/RuleDocumentation/AvoidUsingCmdletAliases.md @@ -28,7 +28,7 @@ To prevent `PSScriptAnalyzer` from flagging your preferred aliases, create an al @{ 'Rules' = @{ 'PSAvoidUsingCmdletAliases' = @{ - 'Whitelist' = @('cd') + 'allowlist' = @('cd') } } } diff --git a/Tests/Engine/Settings.tests.ps1 b/Tests/Engine/Settings.tests.ps1 index e0845425c..2e95bdd04 100644 --- a/Tests/Engine/Settings.tests.ps1 +++ b/Tests/Engine/Settings.tests.ps1 @@ -109,7 +109,7 @@ Describe "Settings Class" { $settingsHashtable = @{ Rules = @{ PSAvoidUsingCmdletAliases = @{ - WhiteList = @("cd", "cp") + allowlist = @("cd", "cp") } } } @@ -117,15 +117,15 @@ Describe "Settings Class" { } It "Should return the rule arguments" { - $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["WhiteList"].Count | Should -Be 2 - $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["WhiteList"][0] | Should -Be "cd" - $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["WhiteList"][1] | Should -Be "cp" + $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["allowlist"].Count | Should -Be 2 + $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["allowlist"][0] | Should -Be "cd" + $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["allowlist"][1] | Should -Be "cp" } It "Should Be case insensitive" { - $settings.RuleArguments["psAvoidUsingCmdletAliases"]["whiteList"].Count | Should -Be 2 - $settings.RuleArguments["psAvoidUsingCmdletAliases"]["whiteList"][0] | Should -Be "cd" - $settings.RuleArguments["psAvoidUsingCmdletAliases"]["whiteList"][1] | Should -Be "cp" + $settings.RuleArguments["psAvoidUsingCmdletAliases"]["allowlist"].Count | Should -Be 2 + $settings.RuleArguments["psAvoidUsingCmdletAliases"]["allowlist"][0] | Should -Be "cd" + $settings.RuleArguments["psAvoidUsingCmdletAliases"]["allowlist"][1] | Should -Be "cp" } } diff --git a/Tests/Engine/SettingsTest/Issue828/PSScriptAnalyzerSettings.psd1 b/Tests/Engine/SettingsTest/Issue828/PSScriptAnalyzerSettings.psd1 index 0fd0abff9..bc9c33a89 100644 --- a/Tests/Engine/SettingsTest/Issue828/PSScriptAnalyzerSettings.psd1 +++ b/Tests/Engine/SettingsTest/Issue828/PSScriptAnalyzerSettings.psd1 @@ -15,7 +15,7 @@ } PSAvoidUsingCmdletAliases = @{ # only allowlist verbs from *-Object cmdlets - Whitelist = @( + allowlist = @( '%', '?', 'compare', @@ -60,4 +60,4 @@ CheckSeparator = $true } } -} \ No newline at end of file +} diff --git a/Tests/Engine/SettingsTest/Project1/ExplicitSettings.psd1 b/Tests/Engine/SettingsTest/Project1/ExplicitSettings.psd1 index 3e7c8caa3..29fb7bce2 100644 --- a/Tests/Engine/SettingsTest/Project1/ExplicitSettings.psd1 +++ b/Tests/Engine/SettingsTest/Project1/ExplicitSettings.psd1 @@ -3,7 +3,7 @@ "ExcludeRules" = @("PSShouldProcess", "PSAvoidUsingWMICmdlet", "PSUseCmdletCorrectly") "rules" = @{ PSAvoidUsingCmdletAliases = @{ - WhiteList = @("cd", "cp") + allowlist = @("cd", "cp") } PSUseConsistentIndentation = @{ diff --git a/Tests/Rules/AvoidUsingAlias.tests.ps1 b/Tests/Rules/AvoidUsingAlias.tests.ps1 index ca16cf6a8..d1e29a4a1 100644 --- a/Tests/Rules/AvoidUsingAlias.tests.ps1 +++ b/Tests/Rules/AvoidUsingAlias.tests.ps1 @@ -73,7 +73,7 @@ Configuration MyDscConfiguration { $settings = @{ 'Rules' = @{ 'PSAvoidUsingCmdletAliases' = @{ - 'Whitelist' = @('cd') + 'allowlist' = @('cd') } } } @@ -83,7 +83,7 @@ Configuration MyDscConfiguration { $settings = @{ 'Rules' = @{ 'PSAvoidUsingCmdletAliases' = @{ - 'Whitelist' = @('cd') + 'allowlist' = @('cd') } } } diff --git a/Tests/Rules/TestSettings/AvoidAliasSettings.psd1 b/Tests/Rules/TestSettings/AvoidAliasSettings.psd1 index e5a4cb1af..ada212196 100644 --- a/Tests/Rules/TestSettings/AvoidAliasSettings.psd1 +++ b/Tests/Rules/TestSettings/AvoidAliasSettings.psd1 @@ -1,7 +1,7 @@ @{ 'Rules' = @{ 'PSAvoidUsingCmdletAliases' = @{ - 'Whitelist' = @('cd') + 'allowlist' = @('cd') } } -} \ No newline at end of file +} From c0714ab061657fb1416c2c69a8c4faab7568f9fa Mon Sep 17 00:00:00 2001 From: "James Truher [MSFT]" Date: Wed, 21 Apr 2021 14:12:22 -0700 Subject: [PATCH 35/36] Update .ci/releaseBuild.yml Co-authored-by: Robert Holt --- .ci/releaseBuild.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 3441b87a5..3127bba15 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -57,7 +57,7 @@ stages: $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out" # Set signing src path variable $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}" - Write-Host "sending " + $vstsCommandString + Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" $signOutStep1 = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Step1" From 6edaba1c8dada1ae779eae12a36cbbb12b9adff5 Mon Sep 17 00:00:00 2001 From: Robert Holt Date: Wed, 21 Apr 2021 14:22:30 -0700 Subject: [PATCH 36/36] Apply suggestions from code review --- .ci/releaseBuild.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.ci/releaseBuild.yml b/.ci/releaseBuild.yml index 3127bba15..ac5cf74c7 100644 --- a/.ci/releaseBuild.yml +++ b/.ci/releaseBuild.yml @@ -64,26 +64,26 @@ stages: $null = New-Item -ItemType Directory -Path $signOutStep1 # Set signing out path variable $vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}" - Write-Host "sending " + $vstsCommandString + Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed" $null = New-Item -ItemType Directory -Path $signOutPath # Set signing out path variable $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}" - Write-Host "sending " + $vstsCommandString + Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" # Set path variable for guardian codesign validation $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}" - Write-Host "sending " + $vstsCommandString + Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString" # Get version and create a variable $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1" $moduleVersion = $moduleData.ModuleVersion $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}" - Write-Host "sending " + $vstsCommandString + Write-Host "sending $vstsCommandString" Write-Host "##$vstsCommandString"