[ci] Run Policheck as part of code analysis job (#4882)

Fixes: https://devdiv.visualstudio.com/DevDiv/_workitems/edit/1128206

Context: xamarin/yaml-templates#42
Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/2704/Policheck
Context: https://microsoft.sharepoint.com/sites/globalreadiness/PublicDocuments/Forms/AllItems.aspx?id=%2Fsites%2Fglobalreadiness%2FPublicDocuments%2FPoliCheckSOMUserDocumentation%2FPoliCheckHelp%5Fv5%2E9%2E4%2Epdf&parent=%2Fsites%2Fglobalreadiness%2FPublicDocuments%2FPoliCheckSOMUserDocumentation

"Policheck is a text scanning tool designed to locate sensitive words
and phrases in Microsoft content".

Support for running Policheck has been added to our code analysis
job.  Initial results from running this tool reported 27 failures,
which are all present in external sources and have been added to an
exclusion list, `build-tools/automation/PoliCheckExclusions.xml`.

All code analysis steps and reporting for the xamarin-android pipeline
previously lived in the [`security/xa-static-analysis/v2.yml`][0]
template, but the content of that file is no longer well suited for a
template.  Rather than creating another version of this template in
the `yaml-templates` repo, the core logic has been moved here.

[0]: https://github.com/xamarin/yaml-templates/blob/d6db4a894be2271e3eb8f1faa1260c056cafa1c9/security/xa-static-analysis/v2.yml

build-tools/automation/PoliCheckExclusions.xml

@@ -0,0 +1,10 @@
+<PoliCheckExclusions>
+  <!-- Each of these exclusions is a folder name - if \[name]\ exists in the file path, it will be skipped -->
+  <Exclusion Type="FolderPathFull">NREFACTORY</Exclusion>
+  <!-- Each of these exclusions is a folder name - if any folder or file starts with "\[name]", it will be skipped -->
+  <!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+  <!-- Each of these file types will be completely skipped for the entire scan -->
+  <!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+  <!-- The specified file names will be skipped during the scan regardless which folder they are in -->
+  <Exclusion Type="FileName">REMAINING-INT-CONSTS.TXT|TAIWANCALENDAR.XML|XAMARIN-ANDROID-SDK-9.XML|SQLITE3.C|MAP.CSV</Exclusion>
+</PoliCheckExclusions>

build-tools/automation/azure-pipelines.yaml

@@ -69,18 +69,43 @@ stages:
 - stage: code_analysis
   displayName: Code Analysis
   jobs:
-  # Check - "Xamarin.Android (Code Analysis CredScan)"
+  # Check - "Xamarin.Android (Code Analysis CredScan and PoliCheck)"
   - job: run_static_analysis
-    displayName: CredScan
+    displayName: CredScan and PoliCheck
     pool: $(HostedWinVS2019)
     timeoutInMinutes: 60
     cancelTimeoutInMinutes: 5
     steps:
     - checkout: self
       submodules: recursive
-    - template: security\xa-static-analysis\v2.yml@yaml
+
+    - template: security\credscan\v2.yml@yaml
+      parameters:
+        suppressionsFile: $(System.DefaultWorkingDirectory)\build-tools\automation\CredScanSuppressions.json
+
+    - template: security\policheck\v1.yml@yaml
       parameters:
-        credScanSuppressionsFile: $(System.DefaultWorkingDirectory)\build-tools\automation\CredScanSuppressions.json
+        exclusionFile: $(System.DefaultWorkingDirectory)\build-tools\automation\PoliCheckExclusions.xml
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
+      displayName: Create Security Analysis Report
+      inputs:
+        CredScan: true
+        PoliCheck: true
+      condition: succeededOrFailed()
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
+      displayName: Publish Security Analysis Logs
+      inputs:
+        ArtifactName: CodeAnalysisLogs
+      condition: succeededOrFailed()
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@1
+      displayName: Fail Job if Security Issues are Detected
+      inputs:
+        CredScan: true
+        PoliCheck: true
+      condition: succeededOrFailed()
 
 - stage: mac_build
   displayName: Mac