Updates security tools used

microsoft · Aug 14, 2023 · 1fb471a · 1fb471a
1 parent 515be0e
commit 1fb471a
Showing 1 changed file with 31 additions and 8 deletions.
diff --git a/build/jobs/analyze.yml b/build/jobs/analyze.yml
@@ -6,6 +6,11 @@ parameters:
   credScanDirectory: '$(Build.SourcesDirectory)'
 
 steps:
+- task: UseDotNet@2
+  displayName: Use .NET Core sdk
+  inputs:
+    useGlobalJson: true
+
 - ${{ if eq(parameters.analyzeBinaries, 'true') }}:
   - task: DownloadBuildArtifacts@0
     displayName: 'Download Binaries'
@@ -76,26 +81,42 @@ steps:
       Path: '$(Build.SourcesDirectory)'
       ToolVersion: Latest
 
-- task: UseDotNet@2
-  displayName: Use .NET Core sdk
-  inputs:
-    useGlobalJson: true
-
 - task: RoslynAnalyzers@3
   inputs:
     userProvideBuildInfo: 'msBuildInfo'
     msBuildArchitecture: 'DotNetCore'
-    msBuildCommandline: 'C:\hostedtoolcache\windows\dotnet\dotnet.exe build $(Build.SourcesDirectory)\Microsoft.Health.Fhir.sln'
+    msBuildCommandline: 'dotnet build $(Build.SourcesDirectory)\Microsoft.Health.Fhir.sln --configuration $(buildConfiguration) -p:ContinuousIntegrationBuild=true -f net7.0'
+
+- task: PoliCheck@2
+  displayName: Run PoliCheck
+
+- task: BinSkim@3
+  inputs:
+    toolVersion:        Latest
+    InputType:          Basic
+    Function:           analyze
+    AnalyzeTarget:      $(Build.ArtifactStagingDirectory)\Microsoft.Health.*.dll;$(Build.ArtifactStagingDirectory)\*.exe
+    AnalyzeConfigPath:  default
+    AnalyzeRecurse:     true
+
+ ## Tool is no longer supported:
+ # AutoApplicability@1, CodeMetrics@1, VulnerabilityAssessment@0
 
 - task: SdtReport@2
+  condition: succeededOrFailed()
+  continueOnError: True
   inputs:
     GdnExportAllTools: false
     GdnExportGdnToolArmory: ${{ eq(parameters.analyzeARMTemplates, 'true') }}
     GdnExportGdnToolCredScan: true
     GdnExportGdnToolCSRF: true
     GdnExportGdnToolRoslynAnalyzers: true
+    BinSkim: true
+    CredScan: true
 
 - task: PublishSecurityAnalysisLogs@3
+  condition: succeededOrFailed()
+  continueOnError: True
   inputs:
     ArtifactName: 'CodeAnalysisLogs'
     ArtifactType: 'Container'
@@ -114,7 +135,7 @@ steps:
     FxCop: false
     ModernCop: false
     MSRD: false
-    PoliCheck: false
+    PoliCheck: true
     RoslynAnalyzers: true
     SDLNativeRules: false
     Semmle: false
@@ -124,12 +145,15 @@ steps:
     ToolLogsNotFoundAction: 'Standard'
 
 - task: PostAnalysis@2
+  condition: succeededOrFailed()
   inputs:
     GdnBreakAllTools: false
     GdnBreakGdnToolArmory: ${{ eq(parameters.analyzeARMTemplates, 'true') }}
     GdnBreakGdnToolCredScan: true
     GdnBreakGdnToolCSRF: true
     GdnBreakGdnToolRoslynAnalyzers: true
+    BinSkim: true
+    CredScan: true
 
 - task: TSAUpload@2
   condition: and(succeeded(), eq(variables['build.sourceBranch'], 'refs/heads/main'))
@@ -141,7 +165,6 @@ steps:
     GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)\build\jobs\tsaconfig.gdntsa'
     GdnPublishTsaExportedResultsPublishable: true
 
-
 - task: DeleteFiles@1
   displayName: 'Delete files to make space'
   inputs: