[ci] Use compliance stage template (#7818)

Context: https://github.com/xamarin/yaml-templates/blob/b186f6181c088c34bbf5dd210a343598f3e45489/security/full/v0.yml

Updates our compliance stage to use the universal compliance template,
ensuring that we run all required tasks and their latest versions.

The `policheck-rules-db.mdb` file has been replaced with `.gdnsuppress`
files, which are generated by the compliance build.  These files provide
a more convenient way to exclude specific "invalid" PoliCheck failures.
If a new PoliCheck failure arises in the future that should be excluded,
we can copy the entry for it from the `.gdnsuppress` file produced by
the build and add it to the file we have in our sources.

build-tools/automation/azure-pipelines.yaml

@@ -1147,54 +1147,26 @@ stages:
       packageFilter: '*.nupkg;*.msi;*.pkg;*.vsix'
       GitHub.Token: $(GitHub.Token)
 
-- stage: tenets
-  dependsOn: []
-  displayName: Tenets
-  jobs:
-  # Check - "Xamarin.Android (Tenets Code Analysis)"
-  - job: run_static_analysis
-    displayName: Code Analysis
-    pool:
-      vmImage: $(HostedWinImage)
-    timeoutInMinutes: 60
-    cancelTimeoutInMinutes: 5
-    steps:
-    - checkout: self
-      submodules: recursive
-
-    - template: security\credscan\v2.yml@yaml-templates
-      parameters:
-        suppressionsFile: $(System.DefaultWorkingDirectory)\build-tools\automation\CredScanSuppressions.json
-
-    - template: security\policheck\v1.yml@yaml-templates
-      parameters:
-        exclusionFile: $(System.DefaultWorkingDirectory)\build-tools\automation\PoliCheckExclusions.xml
-        pE: 1|2|3|4
-        rulesDBPath: $(System.DefaultWorkingDirectory)\build-tools\automation\policheck-rules-db.mdb
-
-    - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
-      displayName: Run AntiMalware (Defender) Scan
-      inputs:
-        FileDirPath: $(System.DefaultWorkingDirectory)
-        EnableServices: true
-      condition: succeededOrFailed()
-
-    - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
-      displayName: Create Security Analysis Report
-      inputs:
-        CredScan: true
-        PoliCheck: true
-      condition: succeededOrFailed()
-
-    - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
-      displayName: Publish Security Analysis Logs
-      inputs:
-        ArtifactName: CodeAnalysisLogs
-      condition: succeededOrFailed()
-
-    - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
-      displayName: Fail Job if Security Issues are Detected
-      inputs:
-        CredScan: true
-        PoliCheck: true
-      condition: succeededOrFailed()
+# Check - "Xamarin.Android (Compliance)"
+- template: security/full/v0.yml@yaml-templates
+  parameters:
+    stageDependsOn: []
+    credScanSuppressionFile: $(Build.SourcesDirectory)\build-tools\automation\guardian\CredScanSuppressions.json
+    sourceGdnSuppressionFile: $(Build.SourcesDirectory)\build-tools\automation\guardian\source.gdnsuppress
+    tsaConfigFile: $(Build.SourcesDirectory)\build-tools\automation\guardian\tsaoptions-v2.json
+    policheckLocScanEnabled: true
+    policheckExclusionFilesFolder: $(Build.SourcesDirectory)\build-tools\automation\guardian
+    policheckGdnSuppressionFilesFolder: $(Build.SourcesDirectory)\build-tools\automation\guardian
+    policheckChsScanFolder: $(Build.SourcesDirectory)\Localize\loc\zh-Hans
+    policheckChtScanFolder: $(Build.SourcesDirectory)\Localize\loc\zh-Hant
+    policheckCsyScanFolder: $(Build.SourcesDirectory)\Localize\loc\cs
+    policheckDeuScanFolder: $(Build.SourcesDirectory)\Localize\loc\de
+    policheckEsnScanFolder: $(Build.SourcesDirectory)\Localize\loc\es
+    policheckFraScanFolder: $(Build.SourcesDirectory)\Localize\loc\fr
+    policheckItaScanFolder: $(Build.SourcesDirectory)\Localize\loc\it
+    policheckJpnScanFolder: $(Build.SourcesDirectory)\Localize\loc\ja
+    policheckKorScanFolder: $(Build.SourcesDirectory)\Localize\loc\ko
+    policheckPlkScanFolder: $(Build.SourcesDirectory)\Localize\loc\pl
+    policheckPtbScanFolder: $(Build.SourcesDirectory)\Localize\loc\pt-BR
+    policheckRusScanFolder: $(Build.SourcesDirectory)\Localize\loc\ru
+    policheckTrkScanFolder: $(Build.SourcesDirectory)\Localize\loc\tr

build-tools/automation/guardian/CHT.gdnsuppress

@@ -0,0 +1,26 @@
+{
+  "version": "latest",
+  "suppressionSets": {
+    "default": {
+      "name": "default",
+      "createdDate": "2023-02-24 00:05:39Z",
+      "lastUpdatedDate": "2023-02-24 00:05:39Z"
+    }
+  },
+  "results": {
+    "04910d714a13bf4523ffa77350f654f52114fa4fa3d760c9f63186d41716c019": {
+      "signature": "04910d714a13bf4523ffa77350f654f52114fa4fa3d760c9f63186d41716c019",
+      "alternativeSignatures": [],
+      "target": "Localize/loc/zh-Hant/src/Xamarin.Android.Build.Tasks/Properties/Resources.resx.lcl",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "64550",
+      "justification": "Reference to the Android package format APK.",
+      "createdDate": "2023-02-24 00:05:39Z",
+      "expirationDate": null,
+      "type": null
+    }
+  }
+}

build-tools/automation/PoliCheckExclusions.xml → build-tools/automation/guardian/PoliCheck.Exclusions.xml

@@ -1,10 +1,13 @@
 <PoliCheckExclusions>
   <!-- Each of these exclusions is a folder name - if \[name]\ exists in the file path, it will be skipped -->
-  <Exclusion Type="FolderPathFull">NREFACTORY</Exclusion>
+  <Exclusion Type="FolderPathFull">LICENSE-DATA|NREFACTORY|LOCALIZE</Exclusion>
   <!-- Each of these exclusions is a folder name - if any folder or file starts with "\[name]", it will be skipped -->
   <!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
   <!-- Each of these file types will be completely skipped for the entire scan -->
   <!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
   <!-- The specified file names will be skipped during the scan regardless which folder they are in -->
-  <Exclusion Type="FileName">REMAINING-INT-CONSTS.TXT|TAIWANCALENDAR.XML|XAMARIN-ANDROID-SDK-9.XML|SQLITE3.C|MAP.CSV</Exclusion>
+  <Exclusion Type="FileName">REMAINING-INT-CONSTS.TXT|TAIWANCALENDAR.XML|XAMARIN-ANDROID-SDK-9.XML|SQLITE3.C|MAP.CSV|METHODMAP.EXT.CSV|EXTERNALWHITELIST.CSV|SYMBOLARCHIVEWHITELIST.CSV|POLICHECK.EXCLUSIONS.xml
+|API-10.PARAMS.TXT|API-15.PARAMS.TXT|API-16.PARAMS.TXT|API-17.PARAMS.TXT|API-18.PARAMS.TXT|API-19.PARAMS.TXT|API-20.PARAMS.TXT|API-21.PARAMS.TXT|API-22.PARAMS.TXT|API-23.PARAMS.TXT|API-24.PARAMS.TXT
+|API-25.PARAMS.TXT|API-26.PARAMS.TXT|API-27.PARAMS.TXT|API-28.PARAMS.TXT|API-29.PARAMS.TXT|API-30.PARAMS.TXT|API-31.PARAMS.TXT|API-32.PARAMS.TXT|API-33.PARAMS.TXT
+  </Exclusion>
 </PoliCheckExclusions>

build-tools/automation/guardian/source.gdnsuppress

@@ -0,0 +1,236 @@
+{
+  "version": "latest",
+  "suppressionSets": {
+    "default": {
+      "name": "default",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "lastUpdatedDate": "2023-02-22 23:55:29Z"
+    }
+  },
+  "results": {
+    "5a0a8690d8a06dfdbf6002c67fa64a60a94f3fc77a594034cce20382e88002aa": {
+      "signature": "5a0a8690d8a06dfdbf6002c67fa64a60a94f3fc77a594034cce20382e88002aa",
+      "alternativeSignatures": [],
+      "target": "src/Xamarin.Android.Build.Tasks/Xamarin.Android.Build.Tasks.csproj",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79459",
+      "justification": "Reference to an external source file.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "1b319055b8e507b220d0dab341e67e20f49632fd1844a08a4fcc6d4493930ac5": {
+      "signature": "1b319055b8e507b220d0dab341e67e20f49632fd1844a08a4fcc6d4493930ac5",
+      "alternativeSignatures": [],
+      "target": "src/Xamarin.Android.Build.Tasks/Xamarin.Android.Build.Tasks.csproj",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79459",
+      "justification": "Reference to an external source file.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "6789cab1bdc97b0cc3ad057b7fdd21d63cdf8bc2679391923803fa240ef81292": {
+      "signature": "6789cab1bdc97b0cc3ad057b7fdd21d63cdf8bc2679391923803fa240ef81292",
+      "alternativeSignatures": [],
+      "target": "Documentation/guides/building-apps/build-properties.md",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "185843",
+      "justification": "Reference to an ISCII term.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "bbaf5f946cb72748567e41f0df5f1bae05550f4ba7381e21ec6b26d6c3ecec9f": {
+      "signature": "bbaf5f946cb72748567e41f0df5f1bae05550f4ba7381e21ec6b26d6c3ecec9f",
+      "alternativeSignatures": [],
+      "target": "Documentation/guides/building-apps/build-properties.md",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "185837",
+      "justification": "Reference to an ISCII term.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "db8916a0f0cdca4082c540921dd362e09a9ff413862ab826308411b76ee35789": {
+      "signature": "db8916a0f0cdca4082c540921dd362e09a9ff413862ab826308411b76ee35789",
+      "alternativeSignatures": [],
+      "target": "src/Mono.Android/Android.Util/Log.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80418",
+      "justification": "Reference to an Android logging function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "58fab4dfef38677720e955e546a6af108332c65daafb0d043ad9d93442300a30": {
+      "signature": "58fab4dfef38677720e955e546a6af108332c65daafb0d043ad9d93442300a30",
+      "alternativeSignatures": [],
+      "target": "src/Mono.Android/Android.Util/Log.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80418",
+      "justification": "Reference to an Android logging function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "b07e75fc8a506b94690dbd06877da06c1228e40e7deda3967f6b882b842f726d": {
+      "signature": "b07e75fc8a506b94690dbd06877da06c1228e40e7deda3967f6b882b842f726d",
+      "alternativeSignatures": [],
+      "target": "src/Mono.Android/Android.Util/Log.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80418",
+      "justification": "Reference to an Android logging function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "87d8313310c2dd42021844b95bdcb9121bf10036fea5b212b945e0732a456e5a": {
+      "signature": "87d8313310c2dd42021844b95bdcb9121bf10036fea5b212b945e0732a456e5a",
+      "alternativeSignatures": [],
+      "target": "src/Mono.Android/Android.Util/Log.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80418",
+      "justification": "Reference to an Android logging function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "8e5400e0233c8d887ad48bd8a48e8a7be5a579f9eefad521419b6df0828bbfac": {
+      "signature": "8e5400e0233c8d887ad48bd8a48e8a7be5a579f9eefad521419b6df0828bbfac",
+      "alternativeSignatures": [],
+      "target": "src/Mono.Android/Android.Util/Log.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80418",
+      "justification": "Reference to an Android logging function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "06af52be6b6f87455b1db2eb6e631e783f1dacaf607c9b5f34cdee669992c8b5": {
+      "signature": "06af52be6b6f87455b1db2eb6e631e783f1dacaf607c9b5f34cdee669992c8b5",
+      "alternativeSignatures": [],
+      "target": "src/Mono.Android/Android.Util/Log.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80418",
+      "justification": "Reference to an Android logging function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "a2b4d032c59a9d1211d218c3cd550cf8febb369941d70284d07d03ebee855bc0": {
+      "signature": "a2b4d032c59a9d1211d218c3cd550cf8febb369941d70284d07d03ebee855bc0",
+      "alternativeSignatures": [],
+      "target": "src/monodroid/jni/logger.cc",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79668",
+      "justification": "Reference to find first set bit function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "1c87b45a6044d205dc3f3562f349c238f7cabe22b4609da762df9dc44151e9fb": {
+      "signature": "1c87b45a6044d205dc3f3562f349c238f7cabe22b4609da762df9dc44151e9fb",
+      "alternativeSignatures": [],
+      "target": "src/monodroid/jni/logger.cc",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79668",
+      "justification": "Reference to find first set bit function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "a6639098c4785509a4215c9e2fc10f82c06fce461915dc11a00227ddec558845": {
+      "signature": "a6639098c4785509a4215c9e2fc10f82c06fce461915dc11a00227ddec558845",
+      "alternativeSignatures": [],
+      "target": "src/monodroid/jni/logger.cc",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79668",
+      "justification": "Reference to find first set bit function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "d6b3df0b1d35cb4acec6a954acc145c9ec22041cd463b94ff080682c65a9bd62": {
+      "signature": "d6b3df0b1d35cb4acec6a954acc145c9ec22041cd463b94ff080682c65a9bd62",
+      "alternativeSignatures": [],
+      "target": "src/monodroid/jni/logger.cc",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79668",
+      "justification": "Reference to find first set bit function.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "b34b42aa41018376a31460c142f2ae910704725d9e9a4470f92b587df682369b": {
+      "signature": "b34b42aa41018376a31460c142f2ae910704725d9e9a4470f92b587df682369b",
+      "alternativeSignatures": [],
+      "target": "src/Xamarin.Android.Build.Tasks/Tasks/Aapt2.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "80411",
+      "justification": "Reference to output from an external tool.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    },
+    "75474fa652dbbf8f96826100a5fe37ba686a032ca07d61ef68a79c8e4412c150": {
+      "signature": "75474fa652dbbf8f96826100a5fe37ba686a032ca07d61ef68a79c8e4412c150",
+      "alternativeSignatures": [],
+      "target": "src/Xamarin.Android.Build.Tasks/Linker/MonoDroid.Tuner/Linker.cs",
+      "memberOf": [
+        "default"
+      ],
+      "tool": "policheck",
+      "ruleId": "79459",
+      "justification": "Reference to an external source file.",
+      "createdDate": "2023-02-22 23:55:29Z",
+      "expirationDate": null,
+      "type": null
+    }
+  }
+}

build-tools/automation/guardian/tsaoptions-v2.json

@@ -0,0 +1,11 @@
+{
+  "codebaseName": "xamarin.android_main",
+  "notificationAliases": [
+      "dotnet-android-eng@microsoft.com"
+  ],
+  "instanceUrl": "https://devdiv.visualstudio.com/",
+  "projectName": "DevDiv",
+  "areaPath": "DevDiv\\VS Client - Runtime SDKs\\Android",
+  "iterationPath": "DevDiv",
+  "allTools": true
+}