[ci] Migrate to the 1ES template (#135)

* [ci] Migrate to the 1ES template Context: https://aka.ms/1espt The build pipeline has been updated to extend the 1ES pipeline template, which will keep the pipeline up to date with the latest compliance and security requirements. Compliance tasks and scans will run automatically as part of artifact upload steps, which are now referred to as "outputs". Template outputs have replaced all instances of the `PublishPipelineArtifact` task. * Use self template reference * Test 1es-sign-artifacts yaml branch * Set compiler/linker flags * Test removal of xz submodule * Update flags * Update flags * Test template pivot * Add scan suppressions * Use main templates branch * Import more suppressions * Bump to xz 5.4.6 * Update .gdn * Use github.com/tukaani-project/xz * Update suppressions path * Update conditions and cl/link flags * Update cl/link flags * Update flags * Try a different way to pass args to submodules * Disable a warning we can't do much about * Update gdnsuppress: * Update build_windows, gdnsuppress * Update gdnsuppress * Update build images * Install latest 7.0 sdk for test lanes * Use latest 7.0 sdk --------- Co-authored-by: Marek Habersack <grendel@twistedcode.net>
dotnet · Feb 21, 2024 · 577147e · 577147e
1 parent 7abbbf4
commit 577147e
Show file tree

Hide file tree

Showing 7 changed files with 568 additions and 307 deletions.
diff --git a/.gdn/.gdnsettings b/.gdn/.gdnsettings
@@ -0,0 +1,7 @@
+{
+  "files": { },
+  "folders": { },
+  "overwriteLogs": true,
+  "telemetryFlushTimeout": 10,
+  "variables": { }
+}
diff --git a/.gdn/.gdnsuppress b/.gdn/.gdnsuppress
@@ -0,0 +1,160 @@
+{
+  "hydrated": false,
+  "properties": {
+    "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/suppressions",
+    "hydrationStatus": "This file does not contain identifying data. It is safe to check into your repo. To hydrate this file with identifying data, run `guardian hydrate --help` and follow the guidance."
+  },
+  "version": "1.0.0",
+  "suppressionSets": {
+    "default": {
+      "name": "default",
+      "createdDate": "2024-02-13 23:43:02Z",
+      "lastUpdatedDate": "2024-02-15 20:19:17Z"
+    }
+  },
+  "results": {
+    "106ebf57147abe7cd400e99216306929d7fa316d10e3d30dc218c74b9bd7795e": {
+      "signature": "106ebf57147abe7cd400e99216306929d7fa316d10e3d30dc218c74b9bd7795e",
+      "alternativeSignatures": [
+        "f7e9384d5be4600dadfdbeceff23d1468f682e9d6998ce6d54f9379bbe1e535a"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Reference to an external vcpkg .ps1 file.",
+      "createdDate": "2024-02-13 23:43:02Z"
+    },
+    "cb309d5a322c6d545bc8304bc6bc21953f5d953dcc2ef54f9f66e9d2a41cd5af": {
+      "signature": "cb309d5a322c6d545bc8304bc6bc21953f5d953dcc2ef54f9f66e9d2a41cd5af",
+      "alternativeSignatures": [
+        "ff4304de20e5d510170ae65c7fe48212f33fcfa5c0a3d8a45eee175c04101153"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Suppressing BA2007 triggered by the addition of -wd4996 required to build external bzip2 dependency with /sdl flag.",
+      "createdDate": "2024-02-15 19:39:18Z"
+    },
+    "47d725f1446c35b0410c9774133d814fd3200f89bc0857bd81df4ac73ffcb90e": {
+      "signature": "47d725f1446c35b0410c9774133d814fd3200f89bc0857bd81df4ac73ffcb90e",
+      "alternativeSignatures": [
+        "4394b51c48c696764500c59f00680af353a9a744a82906347a413359f9cfd452"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Suppressing BA2007 triggered by the addition of -wd4996 required to build external bzip2 dependency with /sdl flag.",
+      "createdDate": "2024-02-15 19:39:18Z"
+    },
+    "5f3b04604481e5a1f6a33d01a244db1fc6b2fd02b3b078cf7dfe6cc04e076276": {
+      "signature": "5f3b04604481e5a1f6a33d01a244db1fc6b2fd02b3b078cf7dfe6cc04e076276",
+      "alternativeSignatures": [
+        "ba25311c4c43e2873bee240e8c4c68682272eb5bc58c97339791be287e8c96a2"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Suppressing BA2007 triggered by the addition of -wd4996 required to build external bzip2 dependency with /sdl flag.",
+      "createdDate": "2024-02-15 19:39:18Z"
+    },
+    "39b5eea31b6779ed59ae6854d2c15e17ceb93e3067a87138748fc8f02d734625": {
+      "signature": "39b5eea31b6779ed59ae6854d2c15e17ceb93e3067a87138748fc8f02d734625",
+      "alternativeSignatures": [
+        "59a87f4e078c6ab72fe39adc6139c86d18cddbcd40221114c4a683666bcaadf4"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win32 file 'example.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "4b61adeeb4b0237fbe2352c290a84dc686067351e66810c27192c6a00d9ecbc7": {
+      "signature": "4b61adeeb4b0237fbe2352c290a84dc686067351e66810c27192c6a00d9ecbc7",
+      "alternativeSignatures": [
+        "cf7a67d41e8f7415d089d7007de01417f73c41b842480682686b6b326042ef12"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win32 file 'minigzip.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "14d9bf44b59382ea3316fb01edba5c49251fac10cfa0b0e1c5e4053ea2daf7a7": {
+      "signature": "14d9bf44b59382ea3316fb01edba5c49251fac10cfa0b0e1c5e4053ea2daf7a7",
+      "alternativeSignatures": [
+        "34132c90cef21d1559d791ca3374054b3498293e9af99ebaf0a97ebdf2117359"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win32 file 'zlib.dll'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "32c95027d0378e43655c6ae1d1d94d175b5ae0a80f7a09ab5ef877c82c8613cf": {
+      "signature": "32c95027d0378e43655c6ae1d1d94d175b5ae0a80f7a09ab5ef877c82c8613cf",
+      "alternativeSignatures": [
+        "3b8cc35f6043d60895fc2b58aa0e340f26168e7276e77d32a2290ce8f52e87a7"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win64 file 'example.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "714c09b687b522c384ad4f562ad7fc22b4a3cc486f4e111da2ef9f9f7049bbd9": {
+      "signature": "714c09b687b522c384ad4f562ad7fc22b4a3cc486f4e111da2ef9f9f7049bbd9",
+      "alternativeSignatures": [
+        "c319ab28b12c0772a32e11a1b8adfbf5d31d940c26f65d547508fbbe067479c7"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win64 file 'minigzip.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "7d646d44fc117d94d024aeb65acccd6a6c78ea2f7a67a9925ec0720ca14fc16d": {
+      "signature": "7d646d44fc117d94d024aeb65acccd6a6c78ea2f7a67a9925ec0720ca14fc16d",
+      "alternativeSignatures": [
+        "b6cd355613757ef82eba700719a1957211688374b0841271340c10a65ca913ba"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win64 file 'zlib.dll'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "075eeab70a88345e6e142f97544de5be84cb85c87ba36ec229a2a4df5d482337": {
+      "signature": "075eeab70a88345e6e142f97544de5be84cb85c87ba36ec229a2a4df5d482337",
+      "alternativeSignatures": [
+        "4cc6ffe05f61e35bd7fa57a5a4b4f82d050e684f11e15ce6eade601aa86d2b11"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/winarm64 file 'example.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "f9e7e5e304a91532f7615d252ba18ea11e52ba6eb28cd78f872a480423351256": {
+      "signature": "f9e7e5e304a91532f7615d252ba18ea11e52ba6eb28cd78f872a480423351256",
+      "alternativeSignatures": [
+        "13987557036db098921cee21a62d8dc557c4e4136a10220442388eb2f9f18607"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/winarm64 file 'minigzip.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "0ed7f92df9b8d3bf93cf6898af876e9e159b351ce0b2afeb6f153b453be5cdf9": {
+      "signature": "0ed7f92df9b8d3bf93cf6898af876e9e159b351ce0b2afeb6f153b453be5cdf9",
+      "alternativeSignatures": [
+        "d2dc95e0c5edbdb8ddf1de2e9585c7d55cc1a529edc5c3319da8ed818dc72abf"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/winarm64 file 'zlib.dll'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    }
+  }
+}
diff --git a/.gdn/.gitignore b/.gdn/.gitignore
@@ -0,0 +1,11 @@
+## Ignore Guardian internal files
+.r/
+rc/
+rs/
+i/
+p/
+c/
+o/
+
+## Ignore Guardian Local settings
+LocalSettings.gdn.json
diff --git a/.gitmodules b/.gitmodules
@@ -14,15 +14,11 @@
 	branch = master
 [submodule "external/xz"]
 	path = external/xz
-	url = https://git.tukaani.org/xz.git
-	branch = master
-
+	url = https://github.com/tukaani-project/xz
 [submodule "zlib"]
 	path = external/zlib
 	url = https://github.com/madler/zlib.git
 	branch = master
 [submodule "external/zstd"]
 	path = external/zstd
 	url = https://github.com/facebook/zstd.git
-[submodule "https://git.tukaani.org/xz.git"]
-	url = external/xz
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -228,7 +228,21 @@ if(UNIX)
     LINKER:-z,relro
     LINKER:-z,noexecstack
     LINKER:--no-undefined
-    )
+  )
+else()
+  set(COMMON_COMPILE_OPTIONS
+    /Qspectre
+    /guard:cf
+    /sdl
+    /wd4996
+  )
+
+  set(LINKER_OPTIONS
+    LINKER:/PROFILE
+    LINKER:/DYNAMICBASE
+    LINKER:/CETCOMPAT
+    LINKER:/guard:cf
+  )
 endif()
 
 if(APPLE AND BUILD_LIBZIP)
@@ -576,7 +590,6 @@ else()
     target_link_options(
       ${PROJECT_NAME}
       PRIVATE
-      /PROFILE
       /wholearchive:$<TARGET_FILE:zip>
       )
   endif()