move to new signing process for release build and prep for 1.20.0 (#1625)

* Move to new compliance and signing infrastructure

* bump version to 1.20.0

* change to use allowlist in documentation and tests

Author: JamesWTruher

.ci/releaseBuild.yml

@@ -0,0 +1,199 @@
+# The name of the build that will be seen in mscodehub
+name: PSSA-Release-$(Build.BuildId)
+# how is the build triggered
+# since this is a release build, no trigger as it's a manual release
+trigger: none
+
+pr:
+  branches:
+    include:
+    - master
+    - release*
+
+# variables to set in the build environment
+variables:
+  DOTNET_CLI_TELEMETRY_OPTOUT: 1
+  POWERSHELL_TELEMETRY_OPTOUT: 1
+
+# since this build relies on templates, we need access to those
+# This needs a service connection in the build to work
+# the *name* of the service connection must be the same as the endpoint
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
+    # this can be any branch of your choosing
+    ref: master
+
+# the stages in this build. There are 2
+# the assumption for script analyzer is that test is done as part of
+# CI so we needn't do it here
+stages:
+- stage: Build
+  displayName: Build
+  pool:
+    name: Package ES CodeHub Lab E
+  jobs:
+  - job: Build_Job
+    displayName: Build Microsoft.PowerShell.ScriptAnalyzer
+    # note the variable reference to ESRP.
+    # this must be created in Project -> Pipelines -> Library -> VariableGroups
+    # where it describes the link to the SigningServer
+    variables:
+    - group: ESRP
+    steps:
+    - checkout: self
+
+    # the steps for building the module go here
+    - pwsh: |
+        Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA"
+        try { ./build.ps1 -Configuration Release -All } catch { throw $_ }
+      displayName: Execute build
+
+    # these are setting vso variables which will be persisted between stages
+    - pwsh: |
+        $signSrcPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/out"
+        # Set signing src path variable
+        $vstsCommandString = "vso[task.setvariable variable=signSrcPath]${signSrcPath}"
+        Write-Host "sending $vstsCommandString"
+        Write-Host "##$vstsCommandString"
+
+        $signOutStep1 = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Step1"
+        $null = New-Item -ItemType Directory -Path $signOutStep1
+        # Set signing out path variable
+        $vstsCommandString = "vso[task.setvariable variable=signOutStep1]${signOutStep1}"
+        Write-Host "sending $vstsCommandString"
+        Write-Host "##$vstsCommandString"
+
+        $signOutPath = "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/signed"
+        $null = New-Item -ItemType Directory -Path $signOutPath
+        # Set signing out path variable
+        $vstsCommandString = "vso[task.setvariable variable=signOutPath]${signOutPath}"
+        Write-Host "sending $vstsCommandString"
+        Write-Host "##$vstsCommandString"
+
+        # Set path variable for guardian codesign validation
+        $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${signOutPath}"
+        Write-Host "sending $vstsCommandString"
+        Write-Host "##$vstsCommandString"
+
+        # Get version and create a variable
+        $moduleData = Import-PowerShellDataFile "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/Engine/PSScriptAnalyzer.psd1"
+        $moduleVersion = $moduleData.ModuleVersion
+        $vstsCommandString = "vso[task.setvariable variable=moduleVersion]${moduleVersion}"
+        Write-Host "sending $vstsCommandString"
+        Write-Host "##$vstsCommandString"
+
+
+      displayName: Setup variables for signing
+
+    # checkout the Compliance repository so it can be used to do the actual signing
+    - checkout: ComplianceRepo
+
+    # in script analyzer, we must sign with 2 different certs
+    # the normal cert for MS created items and the 3rd party cert
+    # this the MS authored step
+    # Because this needs 2 certs, we do it in 2 steps.
+    # the first step signs the binaries and puts them in a staging directory which
+    # will then be used for the second step. 
+    - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+        # the folder which contains the binaries to sign
+        buildOutputPath: $(signSrcPath)
+        # the location to put the signed output
+        signOutputPath: $(signOutStep1)
+        # the certificate ID to use
+        certificateId: "CP-230012"
+        # use minimatch because we need to exclude the NewtonSoft assembly
+        useMinimatch: true
+        # the file pattern to use - newtonSoft is excluded
+        pattern: |
+          **\*.psd1
+          **\*.psm1
+          **\*.ps1xml
+          **\Microsoft*.dll
+
+    # this is the second step of the signing.
+    # note that the buildOutputPath (where we get the files to sign)
+    # is the same as the signOutputPath in the previous step
+    # at the end of this step we will have all the files signed that should be
+    # signOutPath is the location which contains the files we will use to make the module
+    - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+        # the folder which contains the binaries to sign
+        buildOutputPath: $(signOutStep1)
+        # the location to put the signed output
+        signOutputPath: $(signOutPath)
+        # the certificate ID to use
+        # we'll need to change this to the 3rd party cert id
+        certificateId: "CP-231522"
+        # the file pattern to use - only sign newtonsoft
+        pattern: 'Newtonsoft*.dll'
+
+    # now create the nupkg which we will use to publish the module
+    # to the powershell gallery (not part of this yaml)
+    - pwsh: |
+        Set-Location "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA"
+        ./build -BuildNupkg -signed
+      displayName: Create nupkg for publishing
+
+    # finally publish the parts of the build which will be used in the next stages
+    # if it's not published, the subsequent stages will not be able to access it.
+    # This is the build directory (it contains all of the dll/pdb files)
+    - publish: "$(Build.SourcesDirectory)/OSS_Microsoft_PSSA"
+      artifact: build
+      displayName: publish build directory
+
+      # export the nupkg only which will be used in the release pipeline
+    - publish: "$(signOutPath)/PSScriptAnalyzer.$(moduleVersion).nupkg"
+      artifact: nupkg
+      displayName: Publish module nupkg
+
+# Now on to the compliance stage
+- stage: compliance
+  displayName: Compliance
+  dependsOn: Build
+  jobs:
+  - job: Compliance_Job
+    pool:
+      name: Package ES CodeHub Lab E
+    steps:
+    - checkout: self
+    - checkout: ComplianceRepo
+    - download: current
+      artifact: build
+
+    # use the templates in the compliance repo
+    # since script analyzer has modules, we're using the assembly-module-compliance template
+    # if you don't have assemblies, you should use script-module-compliance template
+    - template: assembly-module-compliance.yml@ComplianceRepo
+      parameters:
+        # component-governance - the path to sources
+        sourceScanPath: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA'
+        # binskim - this isn't recursive, so you need the path to the assemblies
+        AnalyzeTarget: '$(Pipeline.Workspace)\build\bin\PSV7Release\netcoreapp3.1\*.dll'
+        # credscan - scan the repo for credentials
+        # you can suppress some files with this.
+        suppressionsFile: '$(Build.SourcesDirectory)/OSS_Microsoft_PSSA/tools/ReleaseBuild/CredScan.Suppressions.json'
+        # TermCheck
+        optionsRulesDBPath: ''
+        optionsFTPath: ''
+        # tsa-upload
+        # the compliance scanning must be uploaded, which you need to request
+        codeBaseName: 'PSSA_202004'
+        # selections
+        APIScan: false # set to false when not using Windows APIs.
+
+#- template: template/publish.yml
+#  parameters:
+#    stageName: AzArtifactsFeed
+#    environmentName:
+#    feedCredential:
+
+#- template: template/publish.yml
+#  parameters:
+#    stageName: NuGet
+#    environmentName: PSMarkdownRenderNuGetApproval
+#    feedCredential: NugetOrgPush

Engine/Engine.csproj

@@ -1,10 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <VersionPrefix>1.19.1</VersionPrefix>
+    <VersionPrefix>1.20.0</VersionPrefix>
     <TargetFrameworks>netcoreapp3.1;net452</TargetFrameworks>
     <AssemblyName>Microsoft.Windows.PowerShell.ScriptAnalyzer</AssemblyName>
-    <AssemblyVersion>1.19.1</AssemblyVersion>
+    <AssemblyVersion>1.20.0</AssemblyVersion>
     <PackageId>Engine</PackageId>
     <RootNamespace>Microsoft.Windows.PowerShell.ScriptAnalyzer</RootNamespace> <!-- Namespace needs to match Assembly name for ressource binding -->
   </PropertyGroup>

Engine/PSScriptAnalyzer.psd1

@@ -11,7 +11,7 @@ Author = 'Microsoft Corporation'
 RootModule = 'PSScriptAnalyzer.psm1'
 
 # Version number of this module.
-ModuleVersion = '1.19.1'
+ModuleVersion = '1.20.0'
 
 # ID used to uniquely identify this module
 GUID = 'd6245802-193d-4068-a631-8863a4342a18'

PSCompatibilityCollector/Microsoft.PowerShell.CrossCompatibility/Microsoft.PowerShell.CrossCompatibility.csproj

@@ -1,9 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <VersionPrefix>1.19.1</VersionPrefix>
+    <VersionPrefix>1.20.0</VersionPrefix>
     <TargetFrameworks>netstandard2.0;net452</TargetFrameworks>
-    <AssemblyVersion>1.19.1</AssemblyVersion>
+    <AssemblyVersion>1.20.0</AssemblyVersion>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(TargetFramework)' == 'netstandard2.0'">

RuleDocumentation/AvoidUsingCmdletAliases.md

@@ -28,7 +28,7 @@ To prevent `PSScriptAnalyzer` from flagging your preferred aliases, create an al
 @{
     'Rules' = @{
         'PSAvoidUsingCmdletAliases' = @{
-            'Whitelist' = @('cd')
+            'allowlist' = @('cd')
         }
     }
 }

Rules/Rules.csproj

@@ -1,10 +1,10 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
-    <VersionPrefix>1.19.1</VersionPrefix>
+    <VersionPrefix>1.20.0</VersionPrefix>
     <TargetFrameworks>netcoreapp3.1;net452</TargetFrameworks>
     <AssemblyName>Microsoft.Windows.PowerShell.ScriptAnalyzer.BuiltinRules</AssemblyName>
-    <AssemblyVersion>1.19.1</AssemblyVersion>
+    <AssemblyVersion>1.20.0</AssemblyVersion>
     <PackageId>Rules</PackageId>
     <RootNamespace>Microsoft.Windows.PowerShell.ScriptAnalyzer</RootNamespace> <!-- Namespace needs to match Assembly name for ressource binding -->
   </PropertyGroup>

Tests/Engine/Settings.tests.ps1

@@ -109,23 +109,23 @@ Describe "Settings Class" {
             $settingsHashtable = @{
                 Rules = @{
                     PSAvoidUsingCmdletAliases = @{
-                        WhiteList = @("cd", "cp")
+                        allowlist = @("cd", "cp")
                     }
                 }
             }
             $settings = New-Object -TypeName $settingsTypeName -ArgumentList $settingsHashtable
         }
 
         It "Should return the rule arguments" {
-            $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["WhiteList"].Count | Should -Be 2
-            $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["WhiteList"][0] | Should -Be "cd"
-            $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["WhiteList"][1] | Should -Be "cp"
+            $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["allowlist"].Count | Should -Be 2
+            $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["allowlist"][0] | Should -Be "cd"
+            $settings.RuleArguments["PSAvoidUsingCmdletAliases"]["allowlist"][1] | Should -Be "cp"
         }
 
         It "Should Be case insensitive" {
-            $settings.RuleArguments["psAvoidUsingCmdletAliases"]["whiteList"].Count | Should -Be 2
-            $settings.RuleArguments["psAvoidUsingCmdletAliases"]["whiteList"][0] | Should -Be "cd"
-            $settings.RuleArguments["psAvoidUsingCmdletAliases"]["whiteList"][1] | Should -Be "cp"
+            $settings.RuleArguments["psAvoidUsingCmdletAliases"]["allowlist"].Count | Should -Be 2
+            $settings.RuleArguments["psAvoidUsingCmdletAliases"]["allowlist"][0] | Should -Be "cd"
+            $settings.RuleArguments["psAvoidUsingCmdletAliases"]["allowlist"][1] | Should -Be "cp"
         }
     }
 

Tests/Engine/SettingsTest/Issue828/PSScriptAnalyzerSettings.psd1

@@ -15,7 +15,7 @@
         }
         PSAvoidUsingCmdletAliases  = @{
             # only allowlist verbs from *-Object cmdlets
-            Whitelist = @(
+            allowlist = @(
                 '%',
                 '?',
                 'compare',
@@ -60,4 +60,4 @@
             CheckSeparator = $true
         }
     }
-}
+}

Tests/Engine/SettingsTest/Project1/ExplicitSettings.psd1

@@ -3,7 +3,7 @@
     "ExcludeRules" = @("PSShouldProcess", "PSAvoidUsingWMICmdlet", "PSUseCmdletCorrectly")
     "rules"        = @{
         PSAvoidUsingCmdletAliases  = @{
-            WhiteList = @("cd", "cp")
+            allowlist = @("cd", "cp")
         }
 
         PSUseConsistentIndentation = @{

Tests/Rules/AvoidUsingAlias.tests.ps1

@@ -73,7 +73,7 @@ Configuration MyDscConfiguration {
             $settings = @{
                 'Rules' = @{
                     'PSAvoidUsingCmdletAliases' = @{
-                        'Whitelist' = @('cd')
+                        'allowlist' = @('cd')
                     }
                 }
             }
@@ -83,7 +83,7 @@ Configuration MyDscConfiguration {
             $settings = @{
                 'Rules' = @{
                     'PSAvoidUsingCmdletAliases' = @{
-                        'Whitelist' = @('cd')
+                        'allowlist' = @('cd')
                     }
                 }
             }

Tests/Rules/TestSettings/AvoidAliasSettings.psd1

@@ -1,7 +1,7 @@
 @{
     'Rules' = @{
         'PSAvoidUsingCmdletAliases' = @{
-            'Whitelist' = @('cd')
+            'allowlist' = @('cd')
         }
     }
-}
+}

build.ps1

@@ -37,7 +37,13 @@ param(
     [switch] $Bootstrap,
 
     [Parameter(ParameterSetName='BuildAll')]
-    [switch] $Catalog
+    [switch] $Catalog,
+
+    [Parameter(ParameterSetName='Package')]
+    [switch] $BuildNupkg,
+
+    [Parameter(ParameterSetName='Package')]
+    [switch] $Signed
 
 )
 
@@ -85,6 +91,9 @@ END {
             Install-DotNet
             return
         }
+        "Package" {
+            Start-CreatePackage -signed:$Signed
+        }
         "Test" {
             Test-ScriptAnalyzer -InProcess:$InProcess
             return