Fixing in-proc pipeline (#4250)

aishwaryabh · web-flow · commit afc2423450e2 · 2025-02-07T14:52:01.000-08:00
* add check for security vulnerability

* fixing inproc pipeline

* updating pipeline utilities to be the same

* skipping dotnetZip cve

* updating version to be latest

* skipping npm install for unit test

* changing working directory

* changing build sched

* my cat deleted the extra 2 by stepping on my keyboard lol

* fixing typo

* update actual pipeline with working directory changes
diff --git a/check-vulnerabilities.ps1 b/check-vulnerabilities.ps1
@@ -1,33 +1,59 @@
-$projectPath = ".\src\Azure.Functions.Cli"
 $projectFileName = ".\Azure.Functions.Cli.csproj"
 $logFilePath = "..\..\build.log"
-if (-not (Test-Path $projectPath))
-{
-    throw "Project path '$projectPath' does not exist."
-}
+$skipCveFilePath = "..\..\skipPackagesCve.json"
 
-cd $projectPath
 
 $cmd = "restore"
 Write-Host "dotnet $cmd"
 dotnet $cmd | Tee-Object $logFilePath
 
-$cmd = "list", "package", "--include-transitive", "--vulnerable"
+$cmd = "list", "package", "--include-transitive", "--vulnerable", "--format", "json"
 Write-Host "dotnet $cmd"
 dotnet $cmd | Tee-Object $logFilePath
 
-$result = Get-content $logFilePath | select-string "has no vulnerable packages given the current sources"
+# Parse JSON output
+$logContent = Get-Content $logFilePath -Raw | ConvertFrom-Json
+$topLevelPackages = $logContent.projects.frameworks.topLevelPackages
 
-$logFileExists = Test-Path $logFilePath -PathType Leaf
-if ($logFileExists)
-{
-  Remove-Item $logFilePath
+# Load skip-cve.json
+$skipCveContent = Get-Content $skipCveFilePath -Raw | ConvertFrom-Json
+$skipPackages = $skipCveContent.packages
+
+# Validate files in skipPackagesCve.json are still valid security vulnerabilities
+$topLevelPackageIds = $topLevelPackages.id
+$invalidSkips = $skipPackages | Where-Object { $_ -notin $topLevelPackageIds }
+
+if ($invalidSkips.Count -gt 0) {
+    Write-Host "The following packages in 'skipPackagesCve.json' do not exist in the vulnerable packages list: $($invalidSkips -join ', '). Please remove these packages from the JSON file."
+    Exit 1
+}
+
+# Filter vulnerabilities
+$vulnerablePackages = @()
+foreach ($package in $topLevelPackages) {
+    if ($skipPackages -notcontains $package.id) {
+        $vulnerablePackages += $package
+    }
 }
 
-cd ../..
+# Check for remaining vulnerabilities
+if ($vulnerablePackages.Count -gt 0) {
+    Write-Host "Security vulnerabilities found (excluding skipped packages):"
+    $vulnerablePackages | ForEach-Object {
+        Write-Host "Package: $($_.id)"
+        Write-Host "Version: $($_.resolvedVersion)"
+        $_.vulnerabilities | ForEach-Object {
+            Write-Host "Severity: $($_.severity)"
+            Write-Host "Advisory: $($_.advisoryurl)"
+        }
+    }
+    Exit 1
+} else {
+    Write-Host "No security vulnerabilities found (excluding skipped packages)."
+}
 
-if (!$result)
+$logFileExists = Test-Path $logFilePath -PathType Leaf
+if ($logFileExists)
 {
-  Write-Host "Vulnerabilities found" 
-  Exit 1
+  Remove-Item $logFilePath
 }
diff --git a/eng/ci/templates/official/jobs/build-test.yml b/eng/ci/templates/official/jobs/build-test.yml
@@ -82,9 +82,11 @@ jobs:
       .\validateWorkerVersions.ps1
     displayName: 'Validate worker versions'
     condition: ne(variables['skipWorkerVersionValidation'], 'true')
-  - pwsh: |
-      .\check-vulnerabilities.ps1
-    displayName: "Check for security vulnerabilities"
+  - task: PowerShell@2
+    displayName: "Run Check Vulnerabilities Script"
+    inputs:
+      filePath: '$(Build.SourcesDirectory)/check-vulnerabilities.ps1'
+      workingDirectory: '$(Build.SourcesDirectory)/src/Azure.Functions.Cli'
   - pwsh: |
       .\build.ps1
     env:
@@ -96,9 +98,6 @@ jobs:
       TELEMETRY_INSTRUMENTATION_KEY: $(TELEMETRY_INSTRUMENTATION_KEY)
       IntegrationBuildNumber: $(INTEGRATIONBUILDNUMBER)
     displayName: 'Executing build script'
-  - pwsh: |
-      .\check-vulnerabilities.ps1
-    displayName: "Check for security vulnerabilities"
 
   - template: ci/sign-files.yml@eng
     parameters:
diff --git a/eng/ci/templates/public/jobs/build-test-public.yml b/eng/ci/templates/public/jobs/build-test-public.yml
@@ -43,7 +43,11 @@ jobs:
   - pwsh: |
       .\validateWorkerVersions.ps1
     displayName: 'Validate worker versions'
-    condition: ne(variables['skipWorkerVersionValidation'], 'true')
+  - task: PowerShell@2
+    displayName: "Run Check Vulnerabilities Script"
+    inputs:
+      filePath: '$(Build.SourcesDirectory)/check-vulnerabilities.ps1'
+      workingDirectory: '$(Build.SourcesDirectory)/src/Azure.Functions.Cli'
   - pwsh: |
       .\build.ps1
     env:
@@ -53,9 +57,6 @@ jobs:
       IsPublicBuild: true
       IsCodeqlBuild: false
     displayName: 'Executing build script'
-  - pwsh: |
-      .\check-vulnerabilities.ps1
-    displayName: "Check for security vulnerabilities"
   - task: PublishTestResults@2
     inputs:
       testResultsFormat: 'VSTest'
diff --git a/pipelineUtilities.psm1 b/pipelineUtilities.psm1
@@ -74,8 +74,8 @@ $DotnetSDKVersionRequirements = @{
     }
     # Update .NET 9 patch once .NET 9 has been released out of preview
     '9.0' = @{
-        MinimalPatch = '100-preview.6.24328.19'
-        DefaultPatch = '100-preview.6.24328.19'
+        MinimalPatch = '100-rc.1.24452.12'
+        DefaultPatch = '100-rc.1.24452.12'
 
     }
 }
@@ -124,7 +124,7 @@ function Install-DotnetVersion($Version,$Channel) {
     if ($IsWindows) {
         & .\$installScript -InstallDir "$env:ProgramFiles/dotnet" -Channel $Channel -Version $Version
         # Installing .NET into x86 directory since the E2E App runs the tests on x86 and looks for the specified framework there
-        & .\$installScript -InstallDir "$env:ProgramFiles (x86)/dotnet" -Channel $Channel -Version $Version
+        & .\$installScript -InstallDir "$env:ProgramFiles (x86)/dotnet" -Channel $Channel -Version $Version  -Architecture x86
     } else {
         bash ./$installScript --install-dir /usr/share/dotnet -c $Channel -v $Version
     }
diff --git a/skipPackagesCve.json b/skipPackagesCve.json
@@ -0,0 +1,5 @@
+{
+  "packages": [
+    "DotNetZip"
+  ]
+}
diff --git a/src/Azure.Functions.Cli/Azure.Functions.Cli.csproj b/src/Azure.Functions.Cli/Azure.Functions.Cli.csproj
@@ -1,4 +1,4 @@
-﻿<Project Sdk="Microsoft.NET.Sdk" InitialTargets="ExcludeWorkersFromReadyToRun">
+<Project Sdk="Microsoft.NET.Sdk" InitialTargets="ExcludeWorkersFromReadyToRun">
   <PropertyGroup>
     <OutputType>Exe</OutputType>
     <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
@@ -66,9 +66,9 @@
     <EmbeddedResource Include="StaticResources\Dockerfile.dotnet8Isolated">
       <LogicalName>$(AssemblyName).Dockerfile.dotnet8Isolated</LogicalName>
     </EmbeddedResource>
-	<EmbeddedResource Include="StaticResources\Dockerfile.dotnet9Isolated">
+    <EmbeddedResource Include="StaticResources\Dockerfile.dotnet9Isolated">
       <LogicalName>$(AssemblyName).Dockerfile.dotnet9Isolated</LogicalName>
-	</EmbeddedResource>
+    </EmbeddedResource>
     <EmbeddedResource Include="StaticResources\ExtensionsProj.csproj.template">
       <LogicalName>$(AssemblyName).ExtensionsProj.csproj</LogicalName>
     </EmbeddedResource>
@@ -287,15 +287,14 @@
     <PackageReference Include="Microsoft.ApplicationInsights" Version="2.22.0" />
     <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="2.2.0" />
     <PackageReference Include="Microsoft.Azure.DurableTask.AzureStorage.Internal" Version="1.4.0" />
-    <PackageReference Include="Microsoft.Azure.WebJobs.Script.WebHost" Version="4.35.4" />
+    <PackageReference Include="Microsoft.Azure.WebJobs.Script.WebHost" Version="4.37.0" />
     <PackageReference Include="Microsoft.Build" Version="17.0.0" />
     <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="NuGet.Packaging" Version="5.11.6" />
     <PackageReference Include="System.Formats.Asn1" Version="6.0.1" />
     <PackageReference Include="WindowsAzure.Storage" Version="9.3.1" />
     <PackageReference Include="YamlDotNet" Version="6.0.0" />
-
     <!-- Transitive dependency -->
     <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
@@ -307,12 +306,12 @@
     <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
   <ItemGroup Condition="'$(NoWorkers)' != 'true'">
-    <PackageReference Include="Microsoft.Azure.Functions.JavaWorker" Version="2.14.0" />
-    <PackageReference Include="Microsoft.Azure.Functions.NodeJsWorker" Version="3.10.0" />
+    <PackageReference Include="Microsoft.Azure.Functions.JavaWorker" Version="2.17.0" />
+    <PackageReference Include="Microsoft.Azure.Functions.NodeJsWorker" Version="3.10.1" />
     <PackageReference Include="Microsoft.Azure.Functions.PowerShellWorker.PS7.0" Version="4.0.3148" />
-    <PackageReference Include="Microsoft.Azure.Functions.PowerShellWorker.PS7.2" Version="4.0.3220" />
-    <PackageReference Include="Microsoft.Azure.Functions.PowerShellWorker.PS7.4" Version="4.0.3219" />
-    <PackageReference Include="Microsoft.Azure.Functions.PythonWorker" Version="4.29.0" />
+    <PackageReference Include="Microsoft.Azure.Functions.PowerShellWorker.PS7.2" Version="4.0.4025" />
+    <PackageReference Include="Microsoft.Azure.Functions.PowerShellWorker.PS7.4" Version="4.0.4026" />
+    <PackageReference Include="Microsoft.Azure.Functions.PythonWorker" Version="4.34.0" />
   </ItemGroup>
   <Target Name="ExcludeWorkersFromReadyToRun">
     <CreateItem Include="%(None.Filename)%(None.Extension)" Condition="$([System.String]::new('%(None.TargetPath)').StartsWith('workers'))" PreserveExistingMetadata="false">
diff --git a/test/Azure.Functions.Cli.Tests/E2E/InitTests.cs b/test/Azure.Functions.Cli.Tests/E2E/InitTests.cs
@@ -45,7 +45,7 @@ public Task init_with_worker_runtime(string workerRuntime)
 
             return CliTester.Run(new RunConfiguration
             {
-                Commands = new[] { $"init . --worker-runtime {workerRuntime}" },
+                Commands = new[] { $"init . --worker-runtime {workerRuntime} --skip-npm-install" },
                 CheckFiles = files.ToArray(),
                 OutputContains = new[]
                 {
diff --git a/validateWorkerVersions.ps1 b/validateWorkerVersions.ps1
@@ -59,7 +59,7 @@ if (-Not $hostVersion) {
 
 function getHostFileContent([string]$filePath) {
     $uri = "https://raw.githubusercontent.com/Azure/azure-functions-host/v$hostVersion/$filePath"
-    return removeBomIfExists((Invoke-WebRequest -Uri $uri -MaximumRetryCount 5 -RetryIntervalSec 2).Content)
+    return removeBomIfExists((Invoke-WebRequest -Uri $uri).Content)
 }
 $hostCsprojContent = getHostFileContent "src/WebJobs.Script/WebJobs.Script.csproj"
 $pythonPropsContent = getHostFileContent "build/python.props"

Original file line number	Diff line number	Diff line change
`@@ -74,8 +74,8 @@ $DotnetSDKVersionRequirements = @{`
`74`	`74`	`}`
`75`	`75`	`# Update .NET 9 patch once .NET 9 has been released out of preview`
`76`	`76`	`'9.0' = @{`
`77`		`- MinimalPatch = '100-preview.6.24328.19'`
`78`		`- DefaultPatch = '100-preview.6.24328.19'`
	`77`	`+ MinimalPatch = '100-rc.1.24452.12'`
	`78`	`+ DefaultPatch = '100-rc.1.24452.12'`
`79`	`79`
`80`	`80`	`}`
`81`	`81`	`}`
`@@ -124,7 +124,7 @@ function Install-DotnetVersion($Version,$Channel) {`
`124`	`124`	`if ($IsWindows) {`
`125`	`125`	`& .\$installScript -InstallDir "$env:ProgramFiles/dotnet" -Channel $Channel -Version $Version`
`126`	`126`	`# Installing .NET into x86 directory since the E2E App runs the tests on x86 and looks for the specified framework there`
`127`		`- & .\$installScript -InstallDir "$env:ProgramFiles (x86)/dotnet" -Channel $Channel -Version $Version`
	`127`	`+ & .\$installScript -InstallDir "$env:ProgramFiles (x86)/dotnet" -Channel $Channel -Version $Version -Architecture x86`
`128`	`128`	`} else {`
`129`	`129`	`bash ./$installScript --install-dir /usr/share/dotnet -c $Channel -v $Version`
`130`	`130`	`}`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ public Task init_with_worker_runtime(string workerRuntime)`
`45`	`45`
`46`	`46`	`return CliTester.Run(new RunConfiguration`
`47`	`47`	`{`
`48`		`- Commands = new[] { $"init . --worker-runtime {workerRuntime}" },`
	`48`	`+ Commands = new[] { $"init . --worker-runtime {workerRuntime} --skip-npm-install" },`
`49`	`49`	`CheckFiles = files.ToArray(),`
`50`	`50`	`OutputContains = new[]`
`51`	`51`	`{`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ if (-Not $hostVersion) {`
`59`	`59`
`60`	`60`	`function getHostFileContent([string]$filePath) {`
`61`	`61`	`$uri = "https://raw.githubusercontent.com/Azure/azure-functions-host/v$hostVersion/$filePath"`
`62`		`- return removeBomIfExists((Invoke-WebRequest -Uri $uri -MaximumRetryCount 5 -RetryIntervalSec 2).Content)`
	`62`	`+ return removeBomIfExists((Invoke-WebRequest -Uri $uri).Content)`
`63`	`63`	`}`
`64`	`64`	`$hostCsprojContent = getHostFileContent "src/WebJobs.Script/WebJobs.Script.csproj"`
`65`	`65`	`$pythonPropsContent = getHostFileContent "build/python.props"`