mirror of
https://github.com/PowerShell/PowerShell.git
synced 2024-11-23 01:34:19 +08:00
Update SBOM generation (#16641)
This commit is contained in:
Travis Plunk
GitHub
parent
b7ce3c568c
commit
a3788b0de0
2
.github/prquantifier.yaml
vendored
2
.github/prquantifier.yaml
vendored
@ -7,5 +7,5 @@ Excluded:
|
||||
- '*.md'
|
||||
- '*.sln'
|
||||
# autogenerated files
|
||||
- cgmanifest.json
|
||||
- tools/cgmanifest.json
|
||||
- assets/wix/files.wxs
|
||||
|
||||
@ -30,7 +30,7 @@ pr:
|
||||
- .vsts-ci/misc-analysis.yml
|
||||
- .vsts-ci/windows.yml
|
||||
- .vsts-ci/windows/*
|
||||
- cgmanifest.json
|
||||
- tools/cgmanifest.json
|
||||
- LICENSE.txt
|
||||
- test/common/markdown/*
|
||||
- test/perf/*
|
||||
|
||||
@ -31,7 +31,7 @@ pr:
|
||||
- .vsts-ci/misc-analysis.yml
|
||||
- .vsts-ci/windows.yml
|
||||
- .vsts-ci/windows/*
|
||||
- cgmanifest.json
|
||||
- tools/cgmanifest.json
|
||||
- LICENSE.txt
|
||||
- test/common/markdown/*
|
||||
- test/perf/*
|
||||
|
||||
@ -53,4 +53,4 @@ jobs:
|
||||
|
||||
- template: dailyBuildCompliance.yml@ComplianceRepo
|
||||
parameters:
|
||||
sourceScanPath: '$(repoPath)'
|
||||
sourceScanPath: '$(repoPath)/test/common'
|
||||
|
||||
@ -28,7 +28,7 @@ pr:
|
||||
- .dependabot/config.yml
|
||||
- .github/ISSUE_TEMPLATE/*
|
||||
- .vsts-ci/misc-analysis.yml
|
||||
- cgmanifest.json
|
||||
- tools/cgmanifest.json
|
||||
- LICENSE.txt
|
||||
- test/common/markdown/*
|
||||
- test/perf/*
|
||||
|
||||
@ -69,6 +69,7 @@ jobs:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)/mainBuild'
|
||||
Build_Repository_Uri: $(build.repository.uri)
|
||||
displayName: SBOM
|
||||
sourceScanPath: '$(repoPath)\tools'
|
||||
|
||||
- pwsh: |
|
||||
Import-Module .\tools\ci.psm1
|
||||
|
||||
@ -14,7 +14,8 @@ Import-Module "$PSScriptRoot\..\.github\workflows\GHWorkflowHelper" -Force
|
||||
. "$PSScriptRoot\..\tools\buildCommon\startNativeExecution.ps1"
|
||||
|
||||
$existingRegistrationTable = @{}
|
||||
$existingRegistrationsJson = Get-Content $PSScriptRoot\..\cgmanifest.json | ConvertFrom-Json -AsHashtable
|
||||
$cgManifestPath = (Resolve-Path -Path $PSScriptRoot\..\tools\cgmanifest.json).ProviderPath
|
||||
$existingRegistrationsJson = Get-Content $cgManifestPath | ConvertFrom-Json -AsHashtable
|
||||
$existingRegistrationsJson.Registrations | ForEach-Object {
|
||||
$registration = [Registration]$_
|
||||
if ($registration.Component) {
|
||||
@ -269,7 +270,6 @@ $newRegistrations = $registrations.Keys | Sort-Object | ForEach-Object { $regist
|
||||
$count = $newRegistrations.Count
|
||||
$newJson = @{Registrations = $newRegistrations } | ConvertTo-Json -depth 99
|
||||
if ($Fix -and $registrationChanged) {
|
||||
$cgManifestPath = (Resolve-Path -Path $PSScriptRoot\..\cgmanifest.json).ProviderPath
|
||||
$newJson | Set-Content $cgManifestPath
|
||||
Set-GWVariable -Name CGMANIFEST_PATH -Value $cgManifestPath
|
||||
}
|
||||
|
||||
@ -16,21 +16,31 @@ steps:
|
||||
- powershell: |
|
||||
$path = "./build.psm1"
|
||||
|
||||
if($env:REPOROOT){
|
||||
Write-Verbose "reporoot already set to ${env:REPOROOT}" -Verbose
|
||||
exit 0
|
||||
}
|
||||
|
||||
if(Test-Path -Path $path)
|
||||
{
|
||||
$vstsCommandString = "vso[task.setvariable variable=repoRoot]."
|
||||
Write-Host ("sending " + $vstsCommandString)
|
||||
Write-Host "##$vstsCommandString"
|
||||
Write-Verbose "reporoot detect at: ." -Verbose
|
||||
$repoRoot = '.'
|
||||
}
|
||||
else{
|
||||
$path = "./PowerShell/build.psm1"
|
||||
if(Test-Path -Path $path)
|
||||
{
|
||||
$vstsCommandString = "vso[task.setvariable variable=repoRoot]./PowerShell"
|
||||
Write-Host ("sending " + $vstsCommandString)
|
||||
Write-Host "##$vstsCommandString"
|
||||
Write-Verbose "reporoot detect at: ./PowerShell" -Verbose
|
||||
$repoRoot = './PowerShell'
|
||||
}
|
||||
}
|
||||
if($repoRoot) {
|
||||
$vstsCommandString = "vso[task.setvariable variable=repoRoot]$repoRoot"
|
||||
Write-Host ("sending " + $vstsCommandString)
|
||||
Write-Host "##$vstsCommandString"
|
||||
} else {
|
||||
Write-Verbose -Verbose "repo not found"
|
||||
}
|
||||
displayName: 'Set repo Root'
|
||||
|
||||
- powershell: |
|
||||
|
||||
@ -138,5 +138,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(Build.SourcesDirectory)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -86,5 +86,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(Build.SourcesDirectory)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -43,8 +43,7 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
ignoreDirectories: '$(Build.SourcesDirectory)\test,$(Build.SourcesDirectory)\docs'
|
||||
sourceScanPath: '$(Build.SourcesDirectory)\tools'
|
||||
|
||||
- task: msospo.ospo-extension.8d7f9abb-6896-461d-9e25-4f74ed65ddb2.notice@0
|
||||
displayName: 'NOTICE File Generator'
|
||||
@ -82,9 +81,3 @@ jobs:
|
||||
targetPath: $(System.ArtifactsDirectory)
|
||||
artifactName: notice
|
||||
displayName: Publish notice artifacts
|
||||
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -51,5 +51,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(Build.SourcesDirectory)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -76,6 +76,9 @@ jobs:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuild'
|
||||
Build_Repository_Uri: $(Github_Build_Repository_Uri)
|
||||
displayName: ${{ parameters.buildName }} SBOM
|
||||
PackageName: PowerShell Linux
|
||||
PackageVersion: $(Version)
|
||||
sourceScanPath: '$(PowerShellRoot)/tools'
|
||||
|
||||
- ${{ if eq(variables.build,'deb') }} :
|
||||
- template: Sbom.yml@ComplianceRepo
|
||||
@ -83,6 +86,9 @@ jobs:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuildMinSize'
|
||||
Build_Repository_Uri: $(Github_Build_Repository_Uri)
|
||||
displayName: MinSize SBOM
|
||||
PackageName: PowerShell Linux Minimum Size
|
||||
PackageVersion: $(Version)
|
||||
sourceScanPath: '$(PowerShellRoot)/tools'
|
||||
|
||||
- ${{ if eq(variables.build,'deb') }} :
|
||||
- template: Sbom.yml@ComplianceRepo
|
||||
@ -90,6 +96,9 @@ jobs:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuildArm32'
|
||||
Build_Repository_Uri: $(Github_Build_Repository_Uri)
|
||||
displayName: Arm32 SBOM
|
||||
PackageName: PowerShell Linux Arm32
|
||||
PackageVersion: $(Version)
|
||||
sourceScanPath: '$(PowerShellRoot)/tools'
|
||||
|
||||
- ${{ if eq(variables.build,'deb') }} :
|
||||
- template: Sbom.yml@ComplianceRepo
|
||||
@ -97,6 +106,9 @@ jobs:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)/pwshLinuxBuildArm64'
|
||||
Build_Repository_Uri: $(Github_Build_Repository_Uri)
|
||||
displayName: Arm64 SBOM
|
||||
PackageName: PowerShell Linux Arm64
|
||||
PackageVersion: $(Version)
|
||||
sourceScanPath: '$(PowerShellRoot)/tools'
|
||||
|
||||
- powershell: |
|
||||
Import-Module "$env:POWERSHELLROOT/build.psm1"
|
||||
@ -148,6 +160,8 @@ jobs:
|
||||
value: false
|
||||
- name: NugetSecurityAnalysisWarningLevel
|
||||
value: none
|
||||
- name: skipComponentGovernanceDetection
|
||||
value: true
|
||||
|
||||
steps:
|
||||
- checkout: self
|
||||
@ -297,9 +311,3 @@ jobs:
|
||||
parameters:
|
||||
artifactPath: '$(Build.StagingDirectory)\signedPackages\release'
|
||||
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
|
||||
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -10,19 +10,28 @@ jobs:
|
||||
name: PowerShell1ES
|
||||
demands:
|
||||
- ImageOverride -equals MMS2019
|
||||
|
||||
variables:
|
||||
- group: ESRP
|
||||
- name: runCodesignValidationInjection
|
||||
value: false
|
||||
- name: NugetSecurityAnalysisWarningLevel
|
||||
value: none
|
||||
- name: repoFolder
|
||||
value: PowerShell
|
||||
- name: repoRoot
|
||||
value: $(Agent.BuildDirectory)\$(repoFolder)
|
||||
- name: complianceRepoFolder
|
||||
value: compliance
|
||||
|
||||
steps:
|
||||
- checkout: self
|
||||
clean: true
|
||||
path: $(repoFolder)
|
||||
|
||||
- checkout: ComplianceRepo
|
||||
clean: true
|
||||
path: $(complianceRepoFolder)
|
||||
|
||||
- template: SetVersionVariables.yml
|
||||
parameters:
|
||||
@ -107,5 +116,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(repoRoot)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -85,6 +85,9 @@ jobs:
|
||||
parameters:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)/$(SymbolsFolder)'
|
||||
Build_Repository_Uri: $(Github_Build_Repository_Uri)
|
||||
PackageName: PowerShell macOS ${{ parameters.buildArchitecture }}
|
||||
PackageVersion: $(Version)
|
||||
sourceScanPath: '$(PowerShellRoot)/tools'
|
||||
|
||||
- pwsh: |
|
||||
Import-Module $(PowerShellRoot)/build.psm1 -Force
|
||||
@ -118,5 +121,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(PowerShellRoot)/tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -16,12 +16,21 @@ jobs:
|
||||
value: false
|
||||
- name: NugetSecurityAnalysisWarningLevel
|
||||
value: none
|
||||
- name: repoFolder
|
||||
value: PowerShell
|
||||
- name: repoRoot
|
||||
value: $(Agent.BuildDirectory)\$(repoFolder)
|
||||
- name: complianceRepoFolder
|
||||
value: compliance
|
||||
|
||||
steps:
|
||||
- checkout: self
|
||||
clean: true
|
||||
path: $(repoFolder)
|
||||
|
||||
- checkout: ComplianceRepo
|
||||
clean: true
|
||||
path: $(complianceRepoFolder)
|
||||
|
||||
- template: shouldSign.yml
|
||||
|
||||
@ -119,5 +128,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(repoRoot)/tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -57,5 +57,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(Build.SourcesDirectory)/tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -253,4 +253,4 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(PackagePath)'
|
||||
sourceScanPath: '$(repoRoot)\tools'
|
||||
|
||||
@ -76,5 +76,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(PowerShellRoot)'
|
||||
sourceScanPath: '$(PowerShellRoot)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -15,13 +15,21 @@ jobs:
|
||||
- name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
|
||||
value: 1
|
||||
- group: ESRP
|
||||
- name: repoFolder
|
||||
value: PowerShell
|
||||
- name: repoRoot
|
||||
value: $(Agent.BuildDirectory)\$(repoFolder)
|
||||
- name: complianceRepoFolder
|
||||
value: compliance
|
||||
|
||||
steps:
|
||||
- checkout: self
|
||||
clean: true
|
||||
path: $(repoFolder)
|
||||
|
||||
- checkout: ComplianceRepo
|
||||
clean: true
|
||||
path: $(complianceRepoFolder)
|
||||
|
||||
- template: SetVersionVariables.yml
|
||||
parameters:
|
||||
@ -124,5 +132,5 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(repoRoot)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
@ -227,6 +227,9 @@ jobs:
|
||||
parameters:
|
||||
BuildDropPath: '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
|
||||
Build_Repository_Uri: $(Github_Build_Repository_Uri)
|
||||
PackageName: PowerShell Windows ${{ parameters.Architecture }} ${{ parameters.BuildConfiguration }}
|
||||
PackageVersion: $(Version)
|
||||
sourceScanPath: '$(PowerShellRoot)\tools'
|
||||
|
||||
- powershell: |
|
||||
Import-Module $(PowerShellRoot)/build.psm1 -Force
|
||||
@ -357,7 +360,7 @@ jobs:
|
||||
- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
|
||||
displayName: 'Component Detection'
|
||||
inputs:
|
||||
sourceScanPath: '$(Build.SourcesDirectory)'
|
||||
sourceScanPath: '$(PowerShellRoot)\tools'
|
||||
snapshotForceEnabled: true
|
||||
|
||||
- powershell: |
|
||||
|
||||
Loading…
Reference in New Issue
Block a user