Merge pull request #1408 from microsoft/main

Merge 'main' into 'release-cpptools'

.github/workflows/Build-And-Test.yml

@@ -22,20 +22,20 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 6.0.x
 
     - name: Setup MSBuild.exe
-      uses: microsoft/setup-msbuild@v1.0.2
+      uses: microsoft/setup-msbuild@v1.1
 
     - name: Setup NuGet.exe for use with actions
-      uses: NuGet/setup-nuget@v1.0.5
+      uses: NuGet/setup-nuget@v1
 
     - name: Build MIDebugEngine
       run: |
@@ -44,7 +44,7 @@ jobs:
         Configuration: ${{ matrix.configuration }}
 
     - name: Setup VSTest.console.exe
-      uses: darenm/Setup-VSTest@v1
+      uses: darenm/Setup-VSTest@v1.2
 
     - name: Run VS Extension tests
       run: vstest.console.exe ${{ github.workspace }}\bin\${{ matrix.configuration }}\MICoreUnitTests.dll ${{ github.workspace }}\bin\${{ matrix.configuration }}\JDbgUnitTests.dll ${{ github.workspace }}\bin\${{ matrix.configuration }}\SSHDebugTests.dll ${{ github.workspace }}\bin\${{ matrix.configuration }}\MIDebugEngineUnitTests.dll
@@ -54,20 +54,20 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 6.0.x
 
     - name: Setup MSBuild.exe
-      uses: microsoft/setup-msbuild@v1.0.2
+      uses: microsoft/setup-msbuild@v1.1
 
     - name: Setup NuGet.exe for use with actions
-      uses: NuGet/setup-nuget@v1.0.5
+      uses: NuGet/setup-nuget@v1
 
     - name: Build MIDebugEngine
       run: |
@@ -102,7 +102,7 @@ jobs:
         dotnet test $CppTestsPath --logger "trx;LogFileName=$ResultsPath"
 
     - name: 'Upload Test Results'
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       if: ${{ always() }}
       with:
         name: win_msys2_x64_results
@@ -112,12 +112,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 6.0.x
 
@@ -143,7 +143,7 @@ jobs:
         ${{ github.workspace }}/eng/Scripts/CI-Test.sh
 
     - name: 'Upload Test Results'
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       if: ${{ always() }}
       with:
         name: linux_x64_results
@@ -153,12 +153,12 @@ jobs:
     runs-on: macos-latest
     steps:
     - name: Checkout
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         fetch-depth: 0
 
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v1
+      uses: actions/setup-dotnet@v3
       with:
         dotnet-version: 6.0.x
 
@@ -172,7 +172,7 @@ jobs:
         ${{ github.workspace }}/eng/Scripts/CI-Test.sh
 
     - name: 'Upload Test Results'
-      uses: actions/upload-artifact@v2
+      uses: actions/upload-artifact@v3
       if: ${{ always() }}
       with:
         name: osx_x64_results

SECURITY.md

@@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.8 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
+
+If you prefer to submit without logging in, send email to [[email protected]](mailto:[email protected]).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->

eng/pipelines/MIDebugEngine-CI.yml

@@ -1,5 +1,15 @@
 ---
 name: $(Date:yyyMMdd).$(Rev:r)
+
+schedules:
+# Run on the 1st and 15th of every month
+- cron: 30 1 1,15 * * 
+  displayName: Biweekly Build
+  branches:
+    include:
+    - main
+  always: true # Run even if there are no code changes
+
 stages:
 - stage: CI
   dependsOn: []
@@ -8,6 +18,8 @@ stages:
     value: test
   - name: TeamName
     value: MDDDebugger
+  - name: Codeql.Enabled
+    value: true
   jobs:
   - template: ./jobs/VSEngSS-MicroBuild2022-1ES.job.yml
     parameters:

eng/pipelines/resources/TSAConfig.json

@@ -0,0 +1,9 @@
+{
+    "codebaseName": "MIEngine",
+    "notificationAliases": ["[email protected]"],
+    "instanceUrl": "https://devdiv.visualstudio.com",
+    "projectName": "DevDiv",
+    "areaPath": "DevDiv\\VS Diagnostics\\Debugger - XPlat\\Cpp",
+    "iterationPath": "DevDiv",
+    "allTools": true
+}

eng/pipelines/resources/falsepositives.gdnsuppress

@@ -0,0 +1 @@
+{}

eng/pipelines/steps/APIScan.yml

@@ -1,21 +1,33 @@
 parameters:
-  FolderToScan: '$(Pipeline.Workspace)\Lab.Release'
+  SourceFolder: '$(Pipeline.Workspace)\Lab.Release'
 
 steps:
 - task: CopyFiles@2
   displayName: 'Copy Files to: $(Pipeline.Workspace)\ApiScanFiles'
   inputs:
-    SourceFolder: ${{ parameters.FolderToScan }}
+    SourceFolder: ${{ parameters.SourceFolder }}
     Contents: |
       **\*Microsoft@(*.dll|*.pdb|*.exe)
-      **\*Newtonsoft@(*.dll|*.pdb|*.exe)
       **\*OpenDebugAD7@(*.dll|*.pdb|*.exe)
       **\*WindowsDebugLauncher@(*.dll|*.pdb|*.exe)
+      **\Microsoft.VisualStudio.Debugger.Interop.UnixPortSupplier.DesignTime.dll
       !**\*.resources.dll
+      !**\Microsoft.VisualStudio.Debugger.Interop*
+      !**\vscode\Microsoft.VisualStudio.Interop.dll
+      !**\vscode\Microsoft.VisualStudio.Shared.VSCodeDebugProtocol.dll
     TargetFolder: '$(Pipeline.Workspace)\ApiScanFiles'
     CleanTargetFolder: true
     OverWrite: true
 
+# This gets excluded by !**\Microsoft.VisualStudio.Debugger.Interop* but we create Microsoft.VisualStudio.Debugger.Interop.UnixPortSupplier.DesignTime.dll.
+- task: CopyFiles@2
+  displayName: 'Copy UnixPortSupplier to: $(Pipeline.Workspace)\ApiScanFiles'
+  inputs:
+    SourceFolder: ${{ parameters.SourceFolder }}
+    Contents: |
+      **\Microsoft.VisualStudio.Debugger.Interop.UnixPortSupplier.DesignTime.dll
+    TargetFolder: '$(Pipeline.Workspace)\ApiScanFiles'
+
 - task: securedevelopmentteam.vss-secure-development-tools.build-task-apiscan.APIScan@2
   displayName: 'Run APIScan'
   inputs:

eng/pipelines/steps/PostAnalysis.yml

@@ -0,0 +1,19 @@
+parameters:
+  GdnSuppressionFiles: $(Build.SourcesDirectory)\eng\pipelines\resources\falsepositives.gdnsuppress
+
+steps:
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+  displayName: 🏋️‍♀️ Break on compliance issues
+  inputs:
+    GdnBreakAllTools: true
+    GdnBreakSuppressionFiles: ${{ parameters.GdnSuppressionFiles }}
+    GdnBreakSuppressionSets: falsepositives
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+  displayName: 📝 Generate Guardian Suppressions File
+  inputs:
+    GdnBreakAllTools: true
+    GdnBreakOutputSuppressionFile: $(Build.ArtifactStagingDirectory)\GuardianSuppressions
+    GdnBreakOutputSuppressionSet: falsepositives
+  continueOnError: true
+  condition: failed()

eng/pipelines/tasks/AntiMalware.yml

@@ -0,0 +1,21 @@
+parameters:
+  SourcePath: $(Build.SourcesDirectory)
+  ArtifactPath: $(Pipeline.Workspace)
+
+steps:
+- task: AntiMalware@4
+  displayName: 🔎 Run AntiMalware on source
+  inputs:
+    InputType: Basic
+    ScanType: CustomScan
+    FileDirPath: ${{ parameters.SourcePath }}
+  continueOnError: true
+
+- task: AntiMalware@4
+  displayName: 🔎 Run AntiMalware on artifacts
+  inputs:
+    InputType: Basic
+    ScanType: CustomScan
+    FileDirPath: ${{ parameters.ArtifactPath }}
+    DisableRemediation: false
+  continueOnError: true

eng/pipelines/tasks/CredScan.yml

@@ -3,4 +3,5 @@ steps:
   displayName: 'Run CredScan'
   inputs:
     outputFormat: pre
-    debugMode: false
+    debugMode: false
+  continueOnError: true

eng/pipelines/tasks/PSScriptAnalyzer.yml

@@ -0,0 +1,7 @@
+steps:
+- task: PSScriptAnalyzer@1
+  displayName: 🔎 Run PSScriptAnalyzer
+  inputs:
+    Path: '$(Build.SourcesDirectory)'
+    Settings: required
+    Recurse: true

eng/pipelines/tasks/TSAUpload.yml

@@ -0,0 +1,10 @@
+parameters:
+  TSAConfigFilePath: $(Build.SourcesDirectory)\eng\pipelines\resources\TSAconfig.json 
+
+steps:
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2
+  displayName: 📢 Create bugs for compliance tools results
+  inputs:
+    GdnPublishTsaOnboard: true
+    GdnPublishTsaConfigFile: ${{ parameters.TSAConfigFilePath }}  # All relevant settings are in this file.
+  condition: succeededOrFailed()

eng/pipelines/templates/CodeAnalysis.template.yml

@@ -14,13 +14,32 @@ steps:
   parameters:
     FolderToScan: $(Pipeline.Workspace)\Lab.Release
 
+- template: ../tasks/AntiMalware.yml
+  parameters:
+    SourcePath: $(Build.SourcesDirectory)\src
+
 - template: ../tasks/BinSkim.yml
 
 - template: ../tasks/PoliCheck.yml
 
+- template: ../tasks/PSScriptAnalyzer.yml
+
 - template: ../tasks/SdtReport.yml
 
 - template: ../tasks/PublishSecurityAnalysisLogs.yml
   parameters:
     ArtifactName: 'CodeAnalysis'
+
+## Create any bugs associated with the results.
+- template: ../tasks/TSAUpload.yml
+
+## Finally, break the build if anything was found. This is so we can bring the issue to our attention.
+- template: ../steps/PostAnalysis.yml
+
+- template: ../tasks/PublishPipelineArtifact.yml
+  parameters:
+    DisplayName: 🎁 Publish Artifact for Guardian Suppressions
+    artifactName: Guardian Suppressions
+    path: $(Build.ArtifactStagingDirectory)\GuardianSuppressions
+    condition: failed()
 ...