Add PoliCheck (Azure#22651)

chidozieononiwu · web-flow · commit 7583626ea7f1 · 2021-09-22T11:08:48.000-07:00
* Add PoliCheck to Aggregate Report Pipeline

* Add per service run of policheck

* Add step for filtering PoliCheck Results

* Add PoliChheck Filtering

* Condition PoliCheck oon ServiceDirectoryName

* Add Allow List for core

* Install PowerShell-Yaml

* Remove sdk/core/PoliCheckAllowList.yml

* Clone build tools, read allow list from build tools

* Add reference to AddPoliCheckFilter build tools branch

* Move PoliCheck to it own stage

* Remove dependence ServiceDirectoryname

* Remove step for filtering PoliCheck result

* Add RulesDBPath

* Add guardian break step for policheck, with special folder for guardian tools

* Publish baseline results

* Consume baseline file from downloaded artifacts

* switch to DownloadPipelien Artifacts task

* Add poliCheck baseline control

* add baseline source parameter

* Stage baseline output for publishing

* Remove baseline

* Update publishing of Guardian tools

* Copy all the related files for guardian tools

* Add files for PoliCheck exclusion

* Switch to vanila PoliCheck Run

* Download and used PoliCheck.mdb file for Exclusions

* Update Exclusionfilename

* Fix up poliCheck issue

* Move Cred Scan into Compliance stage

* Add space betweeem yaml steps

* Fix up policheck issues in sdk\eventhub\Azure.Messaging.EventHubs.Shared\src\Testing\EventHubsTestEnvironment.cs

* Move PoliCheck before CredScan
diff --git a/eng/guardian-tools/policheck/PolicheckExclusions.xml b/eng/guardian-tools/policheck/PolicheckExclusions.xml
@@ -0,0 +1,12 @@
+<PoliCheckExclusions>
+<!-- All strings must be UPPER CASE -->
+<!-- Each of these exclusions is a folder name - if \[name]\ exists in the file path, it will be skipped -->
+<!--<Exclusion Type="FolderPathFull">ABC|XYZ</Exclusion>-->
+<!-- Each of these exclusions is a folder name - if any folder or file starts with "\[name]", it will be 
+skipped -->
+<!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+<!-- Each of these file types will be completely skipped for the entire scan -->
+<!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+<!-- The specified file names will be skipped during the scan regardless which folder they are in -->
+<!--<Exclusion Type="FileName">ABC.TXT|XYZ.CS</Exclusion>-->
+</PoliCheckExclusions>
diff --git a/eng/pipelines/aggregate-reports.yml b/eng/pipelines/aggregate-reports.yml
@@ -17,142 +17,184 @@ pr:
     include:
       - eng/pipelines/aggregate-reports.yml
 
-jobs:
-  - job: GenerateReports
-
-    variables:
-      - template: templates/variables/globals.yml
-
-    pool:
-      vmImage: 'windows-2019'
-
-    timeoutInMinutes: 120
-    steps:
-      - download: net-core
-        artifact: packages
-        patterns: '*'
-
-      - pwsh: |
-          npx cspell lint `
-            --config ./.vscode/cspell.json `
-            --no-must-find-files `
-            'sdk/*/*/api/*.cs'
-        displayName: Check spelling of public API surface
-        # Spelling errors in public api surface are not blockers yet but will
-        # become blockers when this is rolled out to all services. For now, turn
-        # the pipeline yellow if spelling errors are detected but do not block.
-        continueOnError: true
-
-      - template: /eng/common/pipelines/templates/steps/verify-links.yml
-        parameters:
-          Directory: ""
-          CheckLinkGuidance: $true
-          
-      - pwsh: |
-          mkdir "$(System.ArtifactsDirectory)/BuildArtifacts"
-          ls "$(PIPELINE.WORKSPACE)/net-core/packages"
-          Copy-Item -Path "$(PIPELINE.WORKSPACE)/net-core/packages/*" -Destination "$(System.ArtifactsDirectory)/BuildArtifacts"
-        displayName: Create Artifact Directory
-
-
-      - pwsh: |
-          mkdir '$(System.ArtifactsDirectory)/Packages'
-          Move-Item -Path '$(System.ArtifactsDirectory)/BuildArtifacts/*' -Destination '$(System.ArtifactsDirectory)/Packages/' -Include Azure.*.nupkg -Exclude *.symbols.nupkg
-        displayName: Isolate packages to process
-
-      - pwsh: |
-          mkdir '$(Build.ArtifactStagingDirectory)/reports'
-          Copy-Item -Path '$(Build.SourcesDirectory)/eng/common/InterdependencyGraph.html' -Destination '$(Build.ArtifactStagingDirectory)/reports/InterdependencyGraph.html'
-        displayName: Setup reports directory
-
-      - task: PowerShell@2
-        displayName: Generate Dependency Report
-        inputs:
-          pwsh: true
-          filePath: 'eng/scripts/dependencies/AnalyzeDeps.ps1'
-          arguments: >
-            -PackagesPath '$(System.ArtifactsDirectory)/Packages/'
-            -LockfilePath '$(Build.SourcesDirectory)/eng/Packages.Data.props'
-            -OutPath '$(Build.ArtifactStagingDirectory)/reports/dependencies.html'
-            -DumpPath '$(Build.ArtifactStagingDirectory)/reports/data.js'
-
-      - task: PowerShell@2
-        displayName: 'Generate azure-sdk.deps.json'
-        inputs:
-          pwsh: true
-          filePath: 'eng/scripts/dependencies/generate-deps.ps1'
-          arguments: >
-            -PackagesPath '$(System.ArtifactsDirectory)/Packages/'
-            -DepsOutputFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
-            -ProjectRefPath '$(Build.ArtifactStagingDirectory)/reports'
-
-      - task: PowerShell@2
-        displayName: 'Validate dependencies with pwsh servicing'
-        inputs:
-          pwsh: true
-          filePath: 'eng/scripts/dependencies/compare-deps-files.ps1'
-          arguments: >
-            -PSDepsFile 'https://aka.ms/ps-deps-servicing'
-            -AzSdkDepsFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
-
-      - task: PowerShell@2
-        displayName: 'Validate dependencies with pwsh stable'
-        inputs:
-          pwsh: true
-          filePath: 'eng/scripts/dependencies/compare-deps-files.ps1'
-          arguments: >
-            -PSDepsFile 'https://aka.ms/ps-deps-stable'
-            -AzSdkDepsFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
-
-      - task: PowerShell@2
-        displayName: 'Validate dependencies with pwsh preview'
-        inputs:
-          pwsh: true
-          filePath: 'eng/scripts/dependencies/compare-deps-files.ps1'
-          arguments: >
-            -PSDepsFile 'https://aka.ms/ps-deps-preview'
-            -AzSdkDepsFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
-
-      - task: PublishPipelineArtifact@1
-        displayName: 'Publish Report Artifacts'
-        inputs:
-          artifactName: reports
-          path: '$(Build.ArtifactStagingDirectory)/reports'
-
-      - task: AzureFileCopy@2
-        displayName: 'Upload dependency report'
-        inputs:
-          sourcePath: '$(Build.ArtifactStagingDirectory)/reports'
-          azureSubscription: 'Azure SDK Artifacts'
-          destination: AzureBlob
-          storage: azuresdkartifacts
-          containerName: 'azure-sdk-for-net'
-          blobPrefix: dependencies
-
-      - task: PowerShell@2
-        displayName: "Verify Repository Resource Refs"
-        inputs:
-          pwsh: true
-          workingDirectory: $(Build.SourcesDirectory)
-          filePath: eng/common/scripts/Verify-Resource-Ref.ps1
-      - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
-        displayName: 'Run CredScan'
-        inputs:
-          suppressionsFile: 'eng\CredScanSuppression.json'
-        condition: succeededOrFailed()
-      - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
-        displayName: 'Post Analysis'
-        inputs:
-          GdnBreakAllTools: false
-          GdnBreakGdnToolCredScan: true
-          GdnBreakGdnToolCredScanSeverity: Error
-          GdnBreakBaselineFiles: $(Build.SourcesDirectory)\eng\dotnet.gdnbaselines
-          GdnBreakBaselines: baseline  
-          # Used for generating baseline file
-          # GdnBreakOutputBaselineFile: dotnet
-          # GdnBreakOutputBaseline: baseline
-        condition: succeededOrFailed()
-        continueOnError: true
-      - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
-        displayName: 'Publish Security Analysis Logs'
-        condition: succeededOrFailed()
+pool:
+  vmImage: 'windows-2019'
+
+variables:
+  - template: templates/variables/globals.yml
+
+stages:
+  - stage: AggregateReports
+    displayName: Aggregate Reports
+
+    jobs:
+      - job: GenerateReports
+        timeoutInMinutes: 120
+        steps:
+          - download: net-core
+            artifact: packages
+            patterns: '*'
+            displayName: "Download packages artifacts from 'net - core' pipeline "
+
+          - pwsh: |
+              npx cspell lint `
+                --config ./.vscode/cspell.json `
+                --no-must-find-files `
+                'sdk/*/*/api/*.cs'
+            displayName: Check spelling of public API surface
+            # Spelling errors in public api surface are not blockers yet but will
+            # become blockers when this is rolled out to all services. For now, turn
+            # the pipeline yellow if spelling errors are detected but do not block.
+            continueOnError: true
+
+          - template: /eng/common/pipelines/templates/steps/verify-links.yml
+            parameters:
+              Directory: ""
+              CheckLinkGuidance: $true
+
+          - pwsh: |
+              mkdir "$(System.ArtifactsDirectory)/BuildArtifacts"
+              ls "$(PIPELINE.WORKSPACE)/net-core/packages"
+              Copy-Item -Path "$(PIPELINE.WORKSPACE)/net-core/packages/*" -Destination "$(System.ArtifactsDirectory)/BuildArtifacts"
+            displayName: Create Artifact Directory
+
+          - pwsh: |
+              mkdir '$(System.ArtifactsDirectory)/Packages'
+              Move-Item -Path '$(System.ArtifactsDirectory)/BuildArtifacts/*' -Destination '$(System.ArtifactsDirectory)/Packages/' -Include Azure.*.nupkg -Exclude *.symbols.nupkg
+            displayName: Isolate packages to process
+
+          - pwsh: |
+              mkdir '$(Build.ArtifactStagingDirectory)/reports'
+              Copy-Item -Path '$(Build.SourcesDirectory)/eng/common/InterdependencyGraph.html' -Destination '$(Build.ArtifactStagingDirectory)/reports/InterdependencyGraph.html'
+            displayName: Setup reports directory
+
+          - task: PowerShell@2
+            displayName: Generate Dependency Report
+            inputs:
+              pwsh: true
+              filePath: 'eng/scripts/dependencies/AnalyzeDeps.ps1'
+              arguments: >
+                -PackagesPath '$(System.ArtifactsDirectory)/Packages/'
+                -LockfilePath '$(Build.SourcesDirectory)/eng/Packages.Data.props'
+                -OutPath '$(Build.ArtifactStagingDirectory)/reports/dependencies.html'
+                -DumpPath '$(Build.ArtifactStagingDirectory)/reports/data.js'
+
+          - task: PowerShell@2
+            displayName: 'Generate azure-sdk.deps.json'
+            inputs:
+              pwsh: true
+              filePath: 'eng/scripts/dependencies/generate-deps.ps1'
+              arguments: >
+                -PackagesPath '$(System.ArtifactsDirectory)/Packages/'
+                -DepsOutputFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
+                -ProjectRefPath '$(Build.ArtifactStagingDirectory)/reports'
+
+          - task: PowerShell@2
+            displayName: 'Validate dependencies with pwsh servicing'
+            inputs:
+              pwsh: true
+              filePath: 'eng/scripts/dependencies/compare-deps-files.ps1'
+              arguments: >
+                -PSDepsFile 'https://aka.ms/ps-deps-servicing'
+                -AzSdkDepsFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
+
+          - task: PowerShell@2
+            displayName: 'Validate dependencies with pwsh stable'
+            inputs:
+              pwsh: true
+              filePath: 'eng/scripts/dependencies/compare-deps-files.ps1'
+              arguments: >
+                -PSDepsFile 'https://aka.ms/ps-deps-stable'
+                -AzSdkDepsFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
+
+          - task: PowerShell@2
+            displayName: 'Validate dependencies with pwsh preview'
+            inputs:
+              pwsh: true
+              filePath: 'eng/scripts/dependencies/compare-deps-files.ps1'
+              arguments: >
+                -PSDepsFile 'https://aka.ms/ps-deps-preview'
+                -AzSdkDepsFile '$(Build.ArtifactStagingDirectory)/reports/azure-sdk.deps.json'
+
+          - task: PublishPipelineArtifact@1
+            displayName: 'Publish Report Artifacts'
+            inputs:
+              artifactName: reports
+              path: '$(Build.ArtifactStagingDirectory)/reports'
+
+          - task: AzureFileCopy@2
+            displayName: 'Upload dependency report'
+            inputs:
+              sourcePath: '$(Build.ArtifactStagingDirectory)/reports'
+              azureSubscription: 'Azure SDK Artifacts'
+              destination: AzureBlob
+              storage: azuresdkartifacts
+              containerName: 'azure-sdk-for-net'
+              blobPrefix: dependencies
+
+          - task: PowerShell@2
+            displayName: "Verify Repository Resource Refs"
+            inputs:
+              pwsh: true
+              workingDirectory: $(Build.SourcesDirectory)
+              filePath: eng/common/scripts/Verify-Resource-Ref.ps1
+
+  - stage: ComplianceTools
+    displayName: Compliance Tools
+    dependsOn: []
+
+    jobs:
+      - job: ComplianceTools
+        timeoutInMinutes: 120
+        steps:
+          - pwsh: |
+              azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/DotNetPoliCheckExclusion.mdb?$(azuresdk-policheck-blob-SAS)" `
+              "$(Build.BinariesDirectory)"
+            displayName: 'Download PoliCheck Exclusion Database'
+            condition: succeededOrFailed()
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
+            displayName: 'Run PoliCheck'
+            inputs:
+              targetType: F
+              targetArgument: '$(Build.SourcesDirectory)'
+              result: PoliCheck.sarif
+              optionsFC: 0
+              optionsXS: 1
+              optionsPE: 1|2|3|4
+              optionsRulesDBPath: "$(Build.BinariesDirectory)/DotNetPoliCheckExclusion.mdb"
+              optionsUEPATH: "$(Build.SourcesDirectory)/eng/guardian-tools/policheck/PolicheckExclusions.xml"
+            condition: succeededOrFailed()
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+            displayName: 'Post Analysis (PoliCheck)'
+            inputs:
+              GdnBreakAllTools: false
+              GdnBreakGdnToolPoliCheck: true
+              GdnBreakGdnToolPoliCheckSeverity: Warning
+            condition: succeededOrFailed()
+            continueOnError: true
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+            displayName: 'Run CredScan'
+            inputs:
+              suppressionsFile: 'eng\CredScanSuppression.json'
+            condition: succeededOrFailed()
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+            displayName: 'Post Analysis (CredScan)'
+            inputs:
+              GdnBreakAllTools: false
+              GdnBreakGdnToolCredScan: true
+              GdnBreakGdnToolCredScanSeverity: Error
+              GdnBreakBaselineFiles: $(Build.SourcesDirectory)\eng\dotnet.gdnbaselines
+              GdnBreakBaselines: baseline  
+              # Used for generating baseline file
+              # GdnBreakOutputBaselineFile: dotnet
+              # GdnBreakOutputBaseline: baseline
+            condition: succeededOrFailed()
+            continueOnError: true
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+            displayName: 'Publish Security Analysis Logs'
+            condition: succeededOrFailed()
diff --git a/sdk/eventhub/Azure.Messaging.EventHubs.Shared/src/Testing/EventHubsTestEnvironment.cs b/sdk/eventhub/Azure.Messaging.EventHubs.Shared/src/Testing/EventHubsTestEnvironment.cs
@@ -28,7 +28,7 @@ public sealed class EventHubsTestEnvironment : TestEnvironment
         /// <summary>The name of the environment variable used to specify an override for the Event Hub instance to use for all tests.</summary>
         private const string EventHubNameOverrideEnvironmentVariable = "EVENTHUB_OVERRIDE_EVENT_HUB_NAME";
 
-        /// <summary>The default value for the maximum duration, in minutes, that a single test is permitted to run before it is considered at-risk for being hung.</summary>
+        /// <summary>The default value for the maximum duration, in minutes, that a single test is permitted to run before it is considered at-risk of not responding.</summary>
         private const int DefaultPerTestExecutionLimitMinutes = 5;
 
         /// <summary>The singleton instance of the <see cref="EventHubsTestEnvironment" />, lazily created.</summary>
@@ -37,7 +37,7 @@ public sealed class EventHubsTestEnvironment : TestEnvironment
         /// <summary>The active Event Hubs namespace for this test run, lazily created.</summary>
         private readonly Lazy<NamespaceProperties> ActiveEventHubsNamespace;
 
-        /// <summary> The environment variable value, or default, for the maximum duration, in minutes, that a single test is permitted to run before it is considered at-risk for being hung, lazily evaluated.</summary>
+        /// <summary>The environment variable value, or default, for the maximum duration, in minutes, that a single test is permitted to run before it is considered at-risk of not responding, lazily evaluated.</summary>
         private readonly Lazy<TimeSpan> ActivePerTestExecutionLimit;
 
         /// <summary>The connection string for the active Event Hubs namespace for this test run, lazily created.</summary>
@@ -59,7 +59,7 @@ public sealed class EventHubsTestEnvironment : TestEnvironment
 
         /// <summary>
         ///   The environment variable value, or default, for the maximum duration, in minutes,
-        ///   that a single test is permitted to run before it is considered at-risk for being hung.
+        ///   that a single test is permitted to run before it is considered at-risk of not responding.
         /// </summary>
         ///
         public TimeSpan TestExecutionTimeLimit => ActivePerTestExecutionLimit.Value;
diff --git a/sdk/eventhub/Azure.Messaging.EventHubs/CONTRIBUTING.md b/sdk/eventhub/Azure.Messaging.EventHubs/CONTRIBUTING.md
@@ -112,7 +112,7 @@ The Event Hubs Live tests read information from the following environment variab
   The client secret (password) of the Azure Active Directory application that is associated with the service principal
  
 - `EVENTHUB_PER_TEST_LIMIT_MINUTES`  
-  The maximum duration, in minutes, that a single test is permitted to run before it is considered at-risk for being hung.  If not provided, a default suitable for most local development environment runs is assumed.
+  The maximum duration, in minutes, that a single test is permitted to run before it is considered at-risk of not responding.  If not provided, a default suitable for most local development environment runs is assumed.
 
 - `EVENTHUB_NAMESPACE_CONNECTION_STRING`  
   The connection string to an Event Hubs namespace to use for testing.  Tests will each create an ephemeral Event Hub instance in this namespace when executing, in order to ensure isolation.  When the run is complete, the namespace will be left in the state that it was in before the test run took place.
