Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Insert Windows Engineering C++ Compliance Task into Pipelines #10735

Closed
miniksa opened this issue Jul 20, 2021 · 3 comments · Fixed by #11849
Closed

Insert Windows Engineering C++ Compliance Task into Pipelines #10735

miniksa opened this issue Jul 20, 2021 · 3 comments · Fixed by #11849
Assignees
@miniksa
Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta Issue-Task It's a feature request, but it doesn't really need a major design. Product-Meta The product is the management of the products. Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release.
Milestone
Engineering Impro...

Comments

@miniksa
Copy link
Member

miniksa commented Jul 20, 2021

Windows engineering compliance requires us to add a task to our pipelines to validate that our code builds with the appropriate compiler/linker options for operating system inclusion. This task represents inserting that task into our pipeline. Follow ons will likely be required for mitigating the warnings/errors and correcting our code or requesting exemptions formally.
@miniksa miniksa added Area-Build Issues pertaining to the build system, CI, infrastructure, meta Product-Meta The product is the management of the products. Issue-Task It's a feature request, but it doesn't really need a major design. labels Jul 20, 2021
@miniksa miniksa added this to the Terminal v1.11 milestone Jul 20, 2021
@miniksa miniksa self-assigned this Jul 20, 2021
@ghost ghost added the Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting label Jul 20, 2021
@miniksa miniksa removed the Needs-Triage It's a new issue that the core contributor team needs to triage at the next triage meeting label Jul 20, 2021
@lhecker
Copy link
Member

lhecker commented Aug 2, 2021

In testing I found that /O2 has the following benefits over the default /Oxs for conhost:

  • +13% overall throughput with termbench in ConPTY
  • -2% binary size -- We make heavy use of C++ templates throughout conhost. I assume that due to this /O2 despite not using /Os produces smaller binaries, as /O2 implies /Gy and /GF which allows the many template instances to be deduplicated.

@miniksa miniksa mentioned this issue Aug 5, 2021
Closed
@miniksa
Copy link
Member Author

miniksa commented Aug 20, 2021

The PkgES side of this particular task will not be updated to fix its blocking issues in time for me to call this 1.11 so kicking it out.

@miniksa miniksa mentioned this issue Dec 1, 2021
Merged
4 tasks
@ghost ghost added the In-PR This issue has a related PR label Dec 15, 2021
@ghost ghost closed this as completed in #11849 Jan 5, 2022
ghost pushed a commit that referenced this issue Jan 5, 2022
@miniksa
Enable Security and Compliance tasks in our Release pipeline (#11849)
805ac4c 
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:
- Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build
- PREfast - C/C++ static analysis for common code errors and exploits
- Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically
- Credscan - Looks for credentials left behind in the code/documents and build output files
- BinSkim - Searches for common vulnerabilities in binaries
- CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image
- CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks.

We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.

## References
- #11948 - Move from CFG to XFG once XFG task folks get back to me on it
- #11949 - Enable bug filing for SecComp tasks
- #11950 - Bulk process bugs filed by SecComp tasks
- #11947 - Validate SBOM when checkers come online

## Checklist
- [x] - Fixes #10735
- [x] - Fixes #908
- [x] - I work here
- [x] - If it fits, it sits.
@ghost ghost added Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release. and removed In-PR This issue has a related PR labels Jan 5, 2022
miniksa added a commit that referenced this issue Jan 10, 2022
@miniksa
Enable Security and Compliance tasks in our Release pipeline (#11849)
789d22e 
Enables a series of tasks run against our release pipeline that validate the security and compliance status of our code in an automated fashion. These checks include:
- Component Governance - (we had this one, it was moved to here) - Inventories open-source components used in our build
- PREfast - C/C++ static analysis for common code errors and exploits
- Policheck - Searches source code, comments, and text for words that could be sensitive legally, culturally, or geopolitically
- Credscan - Looks for credentials left behind in the code/documents and build output files
- BinSkim - Searches for common vulnerabilities in binaries
- CheckCFlags - Validates that compile/link flags match the policies recommended by Windows engineering for inclusion into the OS product image
- CFGCheck/XFGCheck - Validates that the CFG and/or XFG settings were enabled at compile and link time to guard against control flow attacks.

We're also required to run the SBOM one, but that was done in a separate PR and we're still pending the detectors being updated.

- #11948 - Move from CFG to XFG once XFG task folks get back to me on it
- #11949 - Enable bug filing for SecComp tasks
- #11950 - Bulk process bugs filed by SecComp tasks
- #11947 - Validate SBOM when checkers come online

- [x] - Fixes #10735
- [x] - Fixes #908
- [x] - I work here
- [x] - If it fits, it sits.
@ghost
Copy link

ghost commented Feb 3, 2022

🎉This issue was addressed in #11849, which has now been successfully released as Windows Terminal Preview v1.13.10336.0.:tada:

Handy links:

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@miniksa miniksa

Labels
Area-Build Issues pertaining to the build system, CI, infrastructure, meta Issue-Task It's a feature request, but it doesn't really need a major design. Product-Meta The product is the management of the products. Resolution-Fix-Committed Fix is checked in, but it might be 3-4 weeks until a release.
Projects
None yet
Milestone
Engineering Improvements 2021
Development

Successfully merging a pull request may close this issue.

Enable Security and Compliance tasks in our Release pipeline microsoft/terminal
3 participants
@lhecker @miniksa @zadjii-msft