[build] Enable CodeQL with TSA (#76751)

* [SDL] Enable CodeQL in separate pipeline with TSA * Address feedback * Move CodeQL manual tasks * [build] Move internal variables to template * Guard Manual CodeQL tasks with isSourceBuild
2025-06-09 09:34:49 +09:00 · 2022-10-31 20:25:26 +08:00 · 2022-10-31 20:25:26 +08:00 · f92f3c2220
commit f92f3c2220
parent 3dbc850af3
6 changed files with 97 additions and 6 deletions
--- a/.config/tsaoptions.json
+++ b/.config/tsaoptions.json
@ -0,0 +1,10 @@
+{
+    "instanceUrl": "https://devdiv.visualstudio.com/",
+    "template": "TFSDEVDIV",
+    "projectName": "DEVDIV",
+    "areaPath": "DevDiv\\NET Libraries",
+    "iterationPath": "DevDiv",
+    "notificationAliases": [ "runtimerepo-infra@microsoft.com" ],
+    "repositoryName": "Runtime",
+    "codebaseName": "Runtime"
+}
--- a/eng/common/templates/job/job.yml
+++ b/eng/common/templates/job/job.yml
@ -227,4 +227,3 @@ jobs:
        PackageVersion: ${{ parameters.packageVersion}}
        BuildDropPath: ${{ parameters.buildDropPath }}
        IgnoreDirectories: ${{ parameters.componentGovernanceIgnoreDirectories }}
-
--- a/eng/pipelines/common/global-build-job.yml
+++ b/eng/pipelines/common/global-build-job.yml
@ -32,6 +32,7 @@ parameters:
  enableRichCodeNavigation: false
  richCodeNavigationLanguage: 'csharp'
  richCodeNavigationEnvironment: 'production'
+  isManualCodeQLBuild: false

 jobs:
 - template: /eng/common/templates/job/job.yml
@ -162,13 +163,23 @@ jobs:
        inputs:
          filePath: $(Build.SourcesDirectory)/eng/pipelines/mono/update-machine-certs.ps1

+
    # Build
    - ${{ if eq(parameters.isSourceBuild, false) }}:
+      - ${{ if eq(parameters.isManualCodeQLBuild, true) }}:
+        - task: CodeQL3000Init@0
+          displayName: Initialize CodeQL (manually-injected)
+
      - script: $(_sclEnableCommand) $(Build.SourcesDirectory)$(dir)build$(scriptExt) -ci -arch ${{ parameters.archType }} $(_osParameter) ${{ parameters.buildArgs }} $(_officialBuildParameter) $(_crossBuildPropertyArg) $(_cxx11Parameter) $(_richCodeNavigationParam) $(_buildDarwinFrameworksParameter) $(_overrideTestScriptWindowsCmdParameter)
        displayName: Build product
        ${{ if eq(parameters.useContinueOnErrorDuringBuild, true) }}:
          continueOnError: ${{ parameters.shouldContinueOnError }}

+      - ${{ if eq(parameters.isManualCodeQLBuild, true) }}:
+        - task: CodeQL3000Finalize@0
+          displayName: Finalize CodeQL (manually-injected)
+    #endif isSourceBuild
+
    - ${{ if in(parameters.osGroup, 'OSX', 'iOS', 'tvOS', 'Android') }}:
      - script: |
          du -sh $(Build.SourcesDirectory)/*
--- a/eng/pipelines/common/internal-variables.yml
+++ b/eng/pipelines/common/internal-variables.yml
@ -0,0 +1,8 @@
+parameters:
+  teamName: ''
+
+variables:
+  - name: TeamName
+    value: ${{ parameters.teamName }}
+  - name: PostBuildSign
+    value: true
--- a/eng/pipelines/runtime-codeql.yml
+++ b/eng/pipelines/runtime-codeql.yml
@ -0,0 +1,65 @@
+trigger:
+  none
+
+schedules:
+  - cron: 0 12 * * 1
+    displayName: Weekly Monday CodeQL/Semmle run
+    branches:
+      include:
+      - main
+    always: true
+
+variables:
+  - template: /eng/pipelines/common/variables.yml
+  - name: Codeql.Enabled
+    value: True
+  - name: Codeql.Cadence
+    value: 0
+  - name: Codeql.TSAEnabled
+    value: True
+  - name: Codeql.BuildIdentifier
+    value: $(System.JobDisplayName)
+  - name: Codeql.Language
+    value: cpp,csharp,java,python
+
+extends:
+  template:  /eng/pipelines/common/templates/pipeline-with-resources.yml
+  parameters:
+    stages:
+    - stage: Build
+      jobs:
+
+      #
+      # Build CoreCLR runtime packs
+      #
+      - template: /eng/pipelines/common/platform-matrix.yml
+        parameters:
+          jobTemplate: /eng/pipelines/common/global-build-job.yml
+          buildConfig: release
+          platforms:
+          - Linux_x64
+          - windows_x64
+          jobParameters:
+            buildArgs: -s clr+libs+host+packs -c $(_BuildConfig)
+            nameSuffix: AllSubsets_CoreCLR
+            isOfficialBuild: ${{ variables.isOfficialBuild }}
+            timeoutInMinutes: 360
+            isManualCodeQLBuild: true
+
+      #
+      # Build Mono runtime packs
+      #
+      - template: /eng/pipelines/common/platform-matrix.yml
+        parameters:
+          jobTemplate: /eng/pipelines/common/global-build-job.yml
+          buildConfig: release
+          runtimeFlavor: mono
+          platforms:
+          - Linux_x64
+          - windows_x64
+          jobParameters:
+            buildArgs: -s mono+libs+host+packs+mono.mscordbi -c $(_BuildConfig)
+            nameSuffix: AllSubsets_Mono
+            isOfficialBuild: ${{ variables.isOfficialBuild }}
+            timeoutInMinutes: 360
+            isManualCodeQLBuild: true
--- a/eng/pipelines/runtime-official.yml
+++ b/eng/pipelines/runtime-official.yml
@ -24,11 +24,9 @@ pr: none

 variables:
 - template: /eng/pipelines/common/variables.yml
-# TODO: (Consolidation) Switch away from old signing/validation variables from former Core-Setup. https://github.com/dotnet/runtime/issues/1027
- name: TeamName
-  value: dotnet-core-acquisition
- name: PostBuildSign
-  value: true
+- template: /eng/pipelines/common/internal-variables.yml
+  parameters:
+    teamName: dotnet-core-acquisition

 extends:
  template:  /eng/pipelines/common/templates/pipeline-with-resources.yml