name: $(BuildID)_$(BuildDefinitionName)_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) resources: - repo: self clean: true jobs: ### SDL Tasks ### - job: SDL displayName: SDL Tasks condition: succeeded() pool: vmImage: windows-latest timeoutInMinutes: 60 steps: - task: Maven@3 inputs: mavenPomFile: 'pom.xml' goals: 'install' # Need to install this to the local repo as the CG task doesn't build the project options: '-D"maven.test.skip=true" -D"maven.javadoc.skip=true"' # Don't run the unit tests or doc gen to save some time - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: 'Component Detection' inputs: alertWarningLevel: High failOnAlert: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3 displayName: CredScan inputs: debugMode: false suppressionsFile: vsts/CredScanSuppressions.json ## Spotbugs doesn't have a false positive list, but instead recommends annotating the lines of code in question ## with annotations like @SuppressFBWarnings("MS_SHOULD_BE_FINAL") - powershell: ./vsts/spotbugs.ps1 displayName: 'Run Spotbugs' ## Semmle doesn't have a false positive list, but instead recommends marking the lines of code in question ## with "// lgtm" ## https://help.semmle.com/lgtm-enterprise/user/help/alert-suppression.html#suppresswarnings-annotation - task: Semmle@1 #Only run this step if it isn't a pull request. Semmle only needs to run nightly condition: ne(variables['Build.Reason'], 'PullRequest') env: SYSTEM_ACCESSTOKEN: $(System.AccessToken) inputs: toolVersion: 'Latest' sourceCodeDirectory: '$(Build.SourcesDirectory)' language: 'java' buildCommandsString: 'mvn clean install -DskipTests -T 2C --batch-mode -q' querySuite: 'Recommended' timeout: '1800' ram: '16384' addProjectDirToScanningExclusionList: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2 displayName: PoliCheck inputs: targetType: F - task: AntiMalware@4 inputs: InputType: 'Basic' ScanType: 'CustomScan' FileDirPath: '$(Build.StagingDirectory)' TreatSignatureUpdateFailureAs: 'Warning' SignatureFreshness: 'UpToDate' TreatStaleSignatureAs: 'Error' - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3 displayName: 'Publish Security Analysis Logs' - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 displayName: 'Post Analysis' inputs: CredScan: true Semmle: true - task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@2 displayName: 'TSA upload' inputs: GdnPublishTsaOnboard: false GdnPublishTsaConfigFile: '$(Build.SourcesDirectory)/vsts/TsaUploadConfigFile.json' GdnPublishTsaExportedResultsPublishable: true