Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable BinSkim for the product repos #2661

Closed
16 tasks done
Tracked by #2647
andriipatsula opened this issue Jun 15, 2023 · 11 comments
Closed
16 tasks done
Tracked by #2647

Enable BinSkim for the product repos #2661

andriipatsula opened this issue Jun 15, 2023 · 11 comments
Assignees
@MilenaHristova
Labels
area-product-construction Issues owned by the Product Construction team. Used to label epics and untriaged, loose issues.
Milestone
Automate BinSkim ...

Comments

@andriipatsula
Copy link
Member

andriipatsula commented Jun 15, 2023
edited
Loading

SDL config example: https://github.com/dotnet/runtime/blob/main/eng/sdl-tsa-vars.config
Build pipeline example: https://github.com/dotnet/windowsdesktop/blob/main/azure-pipelines.yml#L100-L103

List of product repos that have nightly validation

Product repos that run SDL validation in-line in their builds:

Additional product repos (no SDL enabled for these repos).

We are not enabling BinSkim for these repos (based on the discussion with mmitche).
@andriipatsula andriipatsula mentioned this issue Jun 15, 2023
Closed
3 tasks
@andriipatsula andriipatsula changed the title Update the config of the SDL runs in product repos. Update the SDL config to run binskim in product repos. Jun 15, 2023
@andriipatsula andriipatsula added the area-product-construction Issues owned by the Product Construction team. Used to label epics and untriaged, loose issues. label Jun 15, 2023
@andriipatsula
Copy link
Member Author

Commit example: https://dev.azure.com/dnceng/internal/_git/dotnet-arcade/commit/b41fa2738e7bb1a87cb21101725703e03b8191ab?refName=refs%2Fheads%2Fadd-binskim

But use -ArtifactToolsList @("binskim") instead of -SourceToolsList @("policheck","credscan","binskim") see: https://github.com/dotnet/arcade/blob/main/eng/common/sdl/execute-all-sdl-tools.ps1#L14C1-L16

@MilenaHristova
Copy link
Member

The validation pipeline runs for a list of repos that's specified in https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/tools/repos-to-validate.txt

@MilenaHristova MilenaHristova changed the title Update the SDL config to run binskim in product repos. Update the SDL config to run binskim in nightly validation pipeline . Jun 23, 2023
@andriipatsula
Copy link
Member Author

andriipatsula commented Jun 30, 2023
edited by MilenaHristova
Loading

linked PRs:
dotnet/windowsdesktop#3698
dotnet/msbuild#8976
dotnet/aspnetcore#49324
dotnet/razor#8938
dotnet/efcore#31221
dotnet/sdk#33901
dotnet/ef6#2131

@MilenaHristova MilenaHristova mentioned this issue Jul 18, 2023
Closed
@andriipatsula
Copy link
Member Author

andriipatsula commented Jul 20, 2023
edited
Loading

@MilenaHristova are we going to enable Binskim for the dotnet/arcade-services ? https://github.com/dotnet/arcade-services/blob/main/azure-pipelines.yml

@andriipatsula
Copy link
Member Author

andriipatsula commented Jul 20, 2023
edited
Loading

What about the dotnet/arcade https://github.com/dotnet/arcade/blob/main/azure-pipelines.yml ?
dotnet/dnceng https://github.com/dotnet/dnceng/blob/main/azure-pipelines.yml ?

@andriipatsula
Copy link
Member Author

andriipatsula commented Jul 20, 2023
edited
Loading

You can search for all repos using this query: https://github.com/search?q=repo%3Adotnet%2Fdotnet+%22%5C%22policheck%5C%22%22&type=code

@MilenaHristova
Copy link
Member

@andriipatsula good question. My understanding was that we need to run it on the assets that are shipped as part of .NET.

@MilenaHristova
Copy link
Member

MilenaHristova commented Jul 20, 2023
edited
Loading

You can search for all repos using this query: https://github.com/search?q=repo%3Adotnet%2Fdotnet+%22%5C%22policheck%5C%22%22&type=code

the repos that are not in this issue are
https://github.com/dotnet/diagnostics
https://github.com/dotnet/deployment-tools
https://github.com/dotnet/xdt
https://github.com/dotnet/arcade

@tkapin tkapin changed the title Update the SDL config to run binskim in nightly validation pipeline . Enable BinSkim for the product repos Jul 28, 2023
@MilenaHristova
Copy link
Member

BinSkim is now enabled for the full list of repos

@NikolaMilosavljevic
Copy link
Member

@MilenaHristova @andriipatsula we need to enable Binskim in dotnet/deployment-tools repo. I looked at changes in some of the repos and it seems that this should be as simple as adding a single line to eng/sdl-tsa-vars.config:

-ArtifactToolsList @("binskim")

Is this all that's necessary for Binskim in deployment-tools repo?

@andriipatsula
Copy link
Member Author

andriipatsula commented Aug 30, 2023
edited
Loading

Hello @NikolaMilosavljevic , in your particular case you need to modify azure-pipelines.yml#L105-L106

  1. Enable SDL validation (you have policheck and credscan specified in the configuration, but they are not enabled)
  2. Add two lines to your pipeline as it was done for the dotnet/roslyn repository azure-pipelines-official.yml#L393-L394

@NikolaMilosavljevic NikolaMilosavljevic mentioned this issue Aug 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MilenaHristova MilenaHristova

Labels
area-product-construction Issues owned by the Product Construction team. Used to label epics and untriaged, loose issues.
Projects
None yet
Milestone
Automate BinSkim runs over official b...
Development

No branches or pull requests
3 participants
@NikolaMilosavljevic @andriipatsula @MilenaHristova