Skip to content

Update SBOM generation #16641

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 11 commits into from
Dec 17, 2021
Merged

Update SBOM generation #16641

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
65d362b
switch to new sbom template
TravisEz13 Dec 10, 2021
5ec0f61
add names for linux
TravisEz13 Dec 10, 2021
aebfbe6
move cgmanifest
TravisEz13 Dec 13, 2021
019e087
fix CG
TravisEz13 Dec 15, 2021
e4e83c5
fix macos GC failures
TravisEz13 Dec 15, 2021
c207fe8
use already set repoRoot for repoRoot
TravisEz13 Dec 16, 2021
e0875c8
fix the correct template
TravisEz13 Dec 16, 2021
6f05fda
fix autodetections
TravisEz13 Dec 16, 2021
9fa0df4
Revert "switch to new sbom template"
TravisEz13 Dec 16, 2021
1eca05d
fix nuget build
TravisEz13 Dec 17, 2021
492b4a1
Apply suggestions from code review
TravisEz13 Dec 17, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/prquantifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,5 @@ Excluded:
- '*.md'
- '*.sln'
# autogenerated files
- cgmanifest.json
- tools/cgmanifest.json
- assets/wix/files.wxs
2 changes: 1 addition & 1 deletion .vsts-ci/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ pr:
- .vsts-ci/misc-analysis.yml
- .vsts-ci/windows.yml
- .vsts-ci/windows/*
- cgmanifest.json
- tools/cgmanifest.json
- LICENSE.txt
- test/common/markdown/*
- test/perf/*
Expand Down
2 changes: 1 addition & 1 deletion .vsts-ci/mac.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ pr:
- .vsts-ci/misc-analysis.yml
- .vsts-ci/windows.yml
- .vsts-ci/windows/*
- cgmanifest.json
- tools/cgmanifest.json
- LICENSE.txt
- test/common/markdown/*
- test/perf/*
Expand Down
2 changes: 1 addition & 1 deletion .vsts-ci/misc-analysis/mdSpell.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,4 +53,4 @@ jobs:

- template: dailyBuildCompliance.yml@ComplianceRepo
parameters:
sourceScanPath: '$(repoPath)'
sourceScanPath: '$(repoPath)/test/common'
2 changes: 1 addition & 1 deletion .vsts-ci/windows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ pr:
- .dependabot/config.yml
- .github/ISSUE_TEMPLATE/*
- .vsts-ci/misc-analysis.yml
- cgmanifest.json
- tools/cgmanifest.json
- LICENSE.txt
- test/common/markdown/*
- test/perf/*
Expand Down
1 change: 1 addition & 0 deletions .vsts-ci/windows/templates/windows-packaging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ jobs:
BuildDropPath: '$(System.ArtifactsDirectory)/mainBuild'
Build_Repository_Uri: $(build.repository.uri)
displayName: SBOM
sourceScanPath: '$(repoPath)\tools'

- pwsh: |
Import-Module .\tools\ci.psm1
Expand Down
0 cgmanifest.json → tools/cgmanifest.json
View file
Open in desktop
File renamed without changes.
4 changes: 2 additions & 2 deletions tools/findMissingNotices.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ Import-Module "$PSScriptRoot\..\.github\workflows\GHWorkflowHelper" -Force
. "$PSScriptRoot\..\tools\buildCommon\startNativeExecution.ps1"

$existingRegistrationTable = @{}
$existingRegistrationsJson = Get-Content $PSScriptRoot\..\cgmanifest.json | ConvertFrom-Json -AsHashtable
$cgManifestPath = (Resolve-Path -Path $PSScriptRoot\..\tools\cgmanifest.json).ProviderPath
$existingRegistrationsJson = Get-Content $cgManifestPath | ConvertFrom-Json -AsHashtable
$existingRegistrationsJson.Registrations | ForEach-Object {
$registration = [Registration]$_
if ($registration.Component) {
Expand Down Expand Up @@ -269,7 +270,6 @@ $newRegistrations = $registrations.Keys | Sort-Object | ForEach-Object { $regist
$count = $newRegistrations.Count
$newJson = @{Registrations = $newRegistrations } | ConvertTo-Json -depth 99
if ($Fix -and $registrationChanged) {
$cgManifestPath = (Resolve-Path -Path $PSScriptRoot\..\cgmanifest.json).ProviderPath
$newJson | Set-Content $cgManifestPath
Set-GWVariable -Name CGMANIFEST_PATH -Value $cgManifestPath
}
Expand Down
22 changes: 16 additions & 6 deletions tools/releaseBuild/azureDevOps/templates/SetVersionVariables.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,31 @@ steps:
- powershell: |
$path = "./build.psm1"

if($env:REPOROOT){
Write-Verbose "reporoot already set to ${env:REPOROOT}" -Verbose
exit 0
}

if(Test-Path -Path $path)
{
$vstsCommandString = "vso[task.setvariable variable=repoRoot]."
Write-Host ("sending " + $vstsCommandString)
Write-Host "##$vstsCommandString"
Write-Verbose "reporoot detect at: ." -Verbose
$repoRoot = '.'
}
else{
$path = "./PowerShell/build.psm1"
if(Test-Path -Path $path)
{
$vstsCommandString = "vso[task.setvariable variable=repoRoot]./PowerShell"
Write-Host ("sending " + $vstsCommandString)
Write-Host "##$vstsCommandString"
Write-Verbose "reporoot detect at: ./PowerShell" -Verbose
$repoRoot = './PowerShell'
}
}
if($repoRoot) {
$vstsCommandString = "vso[task.setvariable variable=repoRoot]$repoRoot"
Write-Host ("sending " + $vstsCommandString)
Write-Host "##$vstsCommandString"
} else {
Write-Verbose -Verbose "repo not found"
}
displayName: 'Set repo Root'

- powershell: |
Expand Down
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -138,5 +138,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(Build.SourcesDirectory)\tools'
snapshotForceEnabled: true
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/compliance/compliance.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,5 +86,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(Build.SourcesDirectory)\tools'
snapshotForceEnabled: true
9 changes: 1 addition & 8 deletions tools/releaseBuild/azureDevOps/templates/compliance/generateNotice.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,7 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
ignoreDirectories: '$(Build.SourcesDirectory)\test,$(Build.SourcesDirectory)\docs'
sourceScanPath: '$(Build.SourcesDirectory)\tools'

- task: msospo.ospo-extension.8d7f9abb-6896-461d-9e25-4f74ed65ddb2.notice@0
displayName: 'NOTICE File Generator'
Expand Down Expand Up @@ -82,9 +81,3 @@ jobs:
targetPath: $(System.ArtifactsDirectory)
artifactName: notice
displayName: Publish notice artifacts

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
snapshotForceEnabled: true
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/json.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,5 +51,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(Build.SourcesDirectory)\tools'
snapshotForceEnabled: true
20 changes: 14 additions & 6 deletions tools/releaseBuild/azureDevOps/templates/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,27 +76,39 @@ jobs:
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuild'
Build_Repository_Uri: $(Github_Build_Repository_Uri)
displayName: ${{ parameters.buildName }} SBOM
PackageName: PowerShell Linux
PackageVersion: $(Version)
sourceScanPath: '$(PowerShellRoot)/tools'

- ${{ if eq(variables.build,'deb') }} :
- template: Sbom.yml@ComplianceRepo
parameters:
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuildMinSize'
Build_Repository_Uri: $(Github_Build_Repository_Uri)
displayName: MinSize SBOM
PackageName: PowerShell Linux Minimum Size
PackageVersion: $(Version)
sourceScanPath: '$(PowerShellRoot)/tools'

- ${{ if eq(variables.build,'deb') }} :
- template: Sbom.yml@ComplianceRepo
parameters:
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuildArm32'
Build_Repository_Uri: $(Github_Build_Repository_Uri)
displayName: Arm32 SBOM
PackageName: PowerShell Linux Arm32
PackageVersion: $(Version)
sourceScanPath: '$(PowerShellRoot)/tools'

- ${{ if eq(variables.build,'deb') }} :
- template: Sbom.yml@ComplianceRepo
parameters:
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuildArm64'
Build_Repository_Uri: $(Github_Build_Repository_Uri)
displayName: Arm64 SBOM
PackageName: PowerShell Linux Arm64
PackageVersion: $(Version)
sourceScanPath: '$(PowerShellRoot)/tools'

- powershell: |
Import-Module "$env:POWERSHELLROOT/build.psm1"
Expand Down Expand Up @@ -148,6 +160,8 @@ jobs:
value: false
- name: NugetSecurityAnalysisWarningLevel
value: none
- name: skipComponentGovernanceDetection
value: true

steps:
- checkout: self
Expand Down Expand Up @@ -297,9 +311,3 @@ jobs:
parameters:
artifactPath: '$(Build.StagingDirectory)\signedPackages\release'
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
snapshotForceEnabled: true
11 changes: 10 additions & 1 deletion tools/releaseBuild/azureDevOps/templates/mac-file-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,19 +10,28 @@ jobs:
name: PowerShell1ES
demands:
- ImageOverride -equals MMS2019

variables:
- group: ESRP
- name: runCodesignValidationInjection
value: false
- name: NugetSecurityAnalysisWarningLevel
value: none
- name: repoFolder
value: PowerShell
- name: repoRoot
value: $(Agent.BuildDirectory)\$(repoFolder)
- name: complianceRepoFolder
value: compliance

steps:
- checkout: self
clean: true
path: $(repoFolder)

- checkout: ComplianceRepo
clean: true
path: $(complianceRepoFolder)

- template: SetVersionVariables.yml
parameters:
Expand Down Expand Up @@ -107,5 +116,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(repoRoot)\tools'
snapshotForceEnabled: true
5 changes: 4 additions & 1 deletion tools/releaseBuild/azureDevOps/templates/mac-package-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,9 @@ jobs:
parameters:
BuildDropPath: '$(System.ArtifactsDirectory)/$(SymbolsFolder)'
Build_Repository_Uri: $(Github_Build_Repository_Uri)
PackageName: PowerShell macOS ${{ parameters.buildArchitecture }}
PackageVersion: $(Version)
sourceScanPath: '$(PowerShellRoot)/tools'

- pwsh: |
Import-Module $(PowerShellRoot)/build.psm1 -Force
Expand Down Expand Up @@ -118,5 +121,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(PowerShellRoot)/tools'
snapshotForceEnabled: true
11 changes: 10 additions & 1 deletion tools/releaseBuild/azureDevOps/templates/mac-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,21 @@ jobs:
value: false
- name: NugetSecurityAnalysisWarningLevel
value: none
- name: repoFolder
value: PowerShell
- name: repoRoot
value: $(Agent.BuildDirectory)\$(repoFolder)
- name: complianceRepoFolder
value: compliance

steps:
- checkout: self
clean: true
path: $(repoFolder)

- checkout: ComplianceRepo
clean: true
path: $(complianceRepoFolder)

- template: shouldSign.yml

Expand Down Expand Up @@ -119,5 +128,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(repoRoot)/tools'
snapshotForceEnabled: true
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/mac.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,5 +57,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(Build.SourcesDirectory)/tools'
snapshotForceEnabled: true
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/nuget.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,4 +253,4 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(PackagePath)'
sourceScanPath: '$(repoRoot)\tools'
2 changes: 1 addition & 1 deletion tools/releaseBuild/azureDevOps/templates/windows-hosted-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,5 +76,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(PowerShellRoot)'
sourceScanPath: '$(PowerShellRoot)\tools'
snapshotForceEnabled: true
10 changes: 9 additions & 1 deletion tools/releaseBuild/azureDevOps/templates/windows-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,21 @@ jobs:
- name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
value: 1
- group: ESRP
- name: repoFolder
value: PowerShell
- name: repoRoot
value: $(Agent.BuildDirectory)\$(repoFolder)
- name: complianceRepoFolder
value: compliance

steps:
- checkout: self
clean: true
path: $(repoFolder)

- checkout: ComplianceRepo
clean: true
path: $(complianceRepoFolder)

- template: SetVersionVariables.yml
parameters:
Expand Down Expand Up @@ -124,5 +132,5 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(repoRoot)\tools'
snapshotForceEnabled: true
5 changes: 4 additions & 1 deletion tools/releaseBuild/azureDevOps/templates/windows-packaging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,9 @@ jobs:
parameters:
BuildDropPath: '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
Build_Repository_Uri: $(Github_Build_Repository_Uri)
PackageName: PowerShell Windows ${{ parameters.Architecture }} ${{ parameters.BuildConfiguration }}
PackageVersion: $(Version)
sourceScanPath: '$(PowerShellRoot)\tools'

- powershell: |
Import-Module $(PowerShellRoot)/build.psm1 -Force
Expand Down Expand Up @@ -357,7 +360,7 @@ jobs:
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
sourceScanPath: '$(Build.SourcesDirectory)'
sourceScanPath: '$(PowerShellRoot)\tools'
snapshotForceEnabled: true

- powershell: |
Expand Down