From 0223a98af319a3a7cff83866ecca91ec8ea88d07 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Wed, 27 Nov 2024 11:26:30 -0800 Subject: [PATCH 01/11] add check for security vulnerability --- eng/ci/templates/official/jobs/build-test.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/eng/ci/templates/official/jobs/build-test.yml b/eng/ci/templates/official/jobs/build-test.yml index 6025eacc4..f0bda6f2a 100644 --- a/eng/ci/templates/official/jobs/build-test.yml +++ b/eng/ci/templates/official/jobs/build-test.yml @@ -96,9 +96,6 @@ jobs: TELEMETRY_INSTRUMENTATION_KEY: $(TELEMETRY_INSTRUMENTATION_KEY) IntegrationBuildNumber: $(INTEGRATIONBUILDNUMBER) displayName: 'Executing build script' - - pwsh: | - .\check-vulnerabilities.ps1 - displayName: "Check for security vulnerabilities" - template: ci/sign-files.yml@eng parameters: From 6657cd29e6c2f6c9f3c8801790bd480cb09ed620 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Mon, 3 Feb 2025 11:40:39 -0800 Subject: [PATCH 02/11] fixing inproc pipeline --- pipelineUtilities.psm1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pipelineUtilities.psm1 b/pipelineUtilities.psm1 index d581fe52a..bf23f1b59 100644 --- a/pipelineUtilities.psm1 +++ b/pipelineUtilities.psm1 @@ -74,8 +74,8 @@ $DotnetSDKVersionRequirements = @{ } # Update .NET 9 patch once .NET 9 has been released out of preview '9.0' = @{ - MinimalPatch = '100-preview.6.24328.19' - DefaultPatch = '100-preview.6.24328.19' + MinimalPatch = '100-rc.1.24452.12' + DefaultPatch = '100-rc.1.24452.12' } } From d7bc194e09b3a10a659a136c77400652a8d4783b Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Mon, 3 Feb 2025 12:14:24 -0800 Subject: [PATCH 03/11] updating pipeline utilities to be the same --- pipelineUtilities.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pipelineUtilities.psm1 b/pipelineUtilities.psm1 index bf23f1b59..dd6a50681 100644 --- a/pipelineUtilities.psm1 +++ b/pipelineUtilities.psm1 @@ -124,7 +124,7 @@ function Install-DotnetVersion($Version,$Channel) { if ($IsWindows) { & .\$installScript -InstallDir "$env:ProgramFiles/dotnet" -Channel $Channel -Version $Version # Installing .NET into x86 directory since the E2E App runs the tests on x86 and looks for the specified framework there - & .\$installScript -InstallDir "$env:ProgramFiles (x86)/dotnet" -Channel $Channel -Version $Version + & .\$installScript -InstallDir "$env:ProgramFiles (x86)/dotnet" -Channel $Channel -Version $Version -Architecture x86 } else { bash ./$installScript --install-dir /usr/share/dotnet -c $Channel -v $Version } From 5e06646648abdaefa74d60d226f91881bea413bd Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Mon, 3 Feb 2025 13:32:55 -0800 Subject: [PATCH 04/11] skipping dotnetZip cve --- check-vulnerabilities.ps1 | 52 +++++++++++++++---- .../public/jobs/build-test-public.yml | 6 +-- skipPackagesCve.json | 5 ++ 3 files changed, 51 insertions(+), 12 deletions(-) create mode 100644 skipPackagesCve.json diff --git a/check-vulnerabilities.ps1 b/check-vulnerabilities.ps1 index 1db8a0fe8..e49645f05 100644 --- a/check-vulnerabilities.ps1 +++ b/check-vulnerabilities.ps1 @@ -1,6 +1,7 @@ $projectPath = ".\src\Azure.Functions.Cli" $projectFileName = ".\Azure.Functions.Cli.csproj" $logFilePath = "..\..\build.log" +$skipCveFilePath = "..\..\skipPackagesCve.json" if (-not (Test-Path $projectPath)) { throw "Project path '$projectPath' does not exist." @@ -12,11 +13,50 @@ $cmd = "restore" Write-Host "dotnet $cmd" dotnet $cmd | Tee-Object $logFilePath -$cmd = "list", "package", "--include-transitive", "--vulnerable" +$cmd = "list", "package", "--include-transitive", "--vulnerable", "--format", "json" Write-Host "dotnet $cmd" dotnet $cmd | Tee-Object $logFilePath -$result = Get-content $logFilePath | select-string "has no vulnerable packages given the current sources" +# Parse JSON output +$logContent = Get-Content $logFilePath -Raw | ConvertFrom-Json +$topLevelPackages = $logContent.projects.frameworks.topLevelPackages + +# Load skip-cve.json +$skipCveContent = Get-Content $skipCveFilePath -Raw | ConvertFrom-Json +$skipPackages = $skipCveContent.packages + +# Validate files in skipPackagesCve.json are still valid security vulnerabilities +$topLevelPackageIds = $topLevelPackages.id +$invalidSkips = $skipPackages | Where-Object { $_ -notin $topLevelPackageIds } + +if ($invalidSkips.Count -gt 0) { + Write-Host "The following packages in 'skipPackagesCve.json' do not exist in the vulnerable packages list: $($invalidSkips -join ', '). Please remove these packages from the JSON file." + Exit 1 +} + +# Filter vulnerabilities +$vulnerablePackages = @() +foreach ($package in $topLevelPackages) { + if ($skipPackages -notcontains $package.id) { + $vulnerablePackages += $package + } +} + +# Check for remaining vulnerabilities +if ($vulnerablePackages.Count -gt 0) { + Write-Host "Security vulnerabilities found (excluding skipped packages):" + $vulnerablePackages | ForEach-Object { + Write-Host "Package: $($_.id)" + Write-Host "Version: $($_.resolvedVersion)" + $_.vulnerabilities | ForEach-Object { + Write-Host "Severity: $($_.severity)" + Write-Host "Advisory: $($_.advisoryurl)" + } + } + Exit 1 +} else { + Write-Host "No security vulnerabilities found (excluding skipped packages)." +} $logFileExists = Test-Path $logFilePath -PathType Leaf if ($logFileExists) @@ -24,10 +64,4 @@ if ($logFileExists) Remove-Item $logFilePath } -cd ../.. - -if (!$result) -{ - Write-Host "Vulnerabilities found" - Exit 1 -} \ No newline at end of file +cd ../.. \ No newline at end of file diff --git a/eng/ci/templates/public/jobs/build-test-public.yml b/eng/ci/templates/public/jobs/build-test-public.yml index 069fa7325..1424a4416 100644 --- a/eng/ci/templates/public/jobs/build-test-public.yml +++ b/eng/ci/templates/public/jobs/build-test-public.yml @@ -43,6 +43,9 @@ jobs: - pwsh: | .\validateWorkerVersions.ps1 displayName: 'Validate worker versions' + - pwsh: | + .\check-vulnerabilities.ps1 + displayName: "Check for security vulnerabilities" condition: ne(variables['skipWorkerVersionValidation'], 'true') - pwsh: | .\build.ps1 @@ -53,9 +56,6 @@ jobs: IsPublicBuild: true IsCodeqlBuild: false displayName: 'Executing build script' - - pwsh: | - .\check-vulnerabilities.ps1 - displayName: "Check for security vulnerabilities" - task: PublishTestResults@2 inputs: testResultsFormat: 'VSTest' diff --git a/skipPackagesCve.json b/skipPackagesCve.json new file mode 100644 index 000000000..57251b7f7 --- /dev/null +++ b/skipPackagesCve.json @@ -0,0 +1,5 @@ +{ + "packages": [ + "DotNetZip" + ] +} \ No newline at end of file From d6f1fa3da420ea38ed29a56bac0af827f57d0a38 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Tue, 4 Feb 2025 12:14:57 -0800 Subject: [PATCH 05/11] updating version to be latest --- .../Azure.Functions.Cli.csproj | 19 +++++++++---------- validateWorkerVersions.ps1 | 2 +- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/src/Azure.Functions.Cli/Azure.Functions.Cli.csproj b/src/Azure.Functions.Cli/Azure.Functions.Cli.csproj index 9d3e6b8bc..bb356a8c8 100644 --- a/src/Azure.Functions.Cli/Azure.Functions.Cli.csproj +++ b/src/Azure.Functions.Cli/Azure.Functions.Cli.csproj @@ -1,4 +1,4 @@ - + Exe net6.0;net8.0 @@ -66,9 +66,9 @@ $(AssemblyName).Dockerfile.dotnet8Isolated - + $(AssemblyName).Dockerfile.dotnet9Isolated - + $(AssemblyName).ExtensionsProj.csproj @@ -287,7 +287,7 @@ - + @@ -295,7 +295,6 @@ - @@ -307,12 +306,12 @@ - - + + - - - + + + diff --git a/validateWorkerVersions.ps1 b/validateWorkerVersions.ps1 index 19ed8d8a0..7df18337b 100644 --- a/validateWorkerVersions.ps1 +++ b/validateWorkerVersions.ps1 @@ -59,7 +59,7 @@ if (-Not $hostVersion) { function getHostFileContent([string]$filePath) { $uri = "https://raw.githubusercontent.com/Azure/azure-functions-host/v$hostVersion/$filePath" - return removeBomIfExists((Invoke-WebRequest -Uri $uri -MaximumRetryCount 5 -RetryIntervalSec 2).Content) + return removeBomIfExists((Invoke-WebRequest -Uri $uri).Content) } $hostCsprojContent = getHostFileContent "src/WebJobs.Script/WebJobs.Script.csproj" $pythonPropsContent = getHostFileContent "build/python.props" From 09b1e1cbe212462797bdab99b821be3049b61697 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Wed, 5 Feb 2025 10:20:52 -0800 Subject: [PATCH 06/11] skipping npm install for unit test --- test/Azure.Functions.Cli.Tests/E2E/InitTests.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/Azure.Functions.Cli.Tests/E2E/InitTests.cs b/test/Azure.Functions.Cli.Tests/E2E/InitTests.cs index 0f3d99217..2d635d4a2 100644 --- a/test/Azure.Functions.Cli.Tests/E2E/InitTests.cs +++ b/test/Azure.Functions.Cli.Tests/E2E/InitTests.cs @@ -45,7 +45,7 @@ public Task init_with_worker_runtime(string workerRuntime) return CliTester.Run(new RunConfiguration { - Commands = new[] { $"init . --worker-runtime {workerRuntime}" }, + Commands = new[] { $"init . --worker-runtime {workerRuntime} --skip-npm-install" }, CheckFiles = files.ToArray(), OutputContains = new[] { From 4fa0f13ad4123f84104ddfedde1afd252894cf75 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Fri, 7 Feb 2025 09:28:50 -0800 Subject: [PATCH 07/11] changing working directory --- check-vulnerabilities.ps1 | 10 +--------- eng/ci/templates/public/jobs/build-test-public.yml | 9 +++++---- 2 files changed, 6 insertions(+), 13 deletions(-) diff --git a/check-vulnerabilities.ps1 b/check-vulnerabilities.ps1 index e49645f05..e7842a4ce 100644 --- a/check-vulnerabilities.ps1 +++ b/check-vulnerabilities.ps1 @@ -1,13 +1,7 @@ -$projectPath = ".\src\Azure.Functions.Cli" $projectFileName = ".\Azure.Functions.Cli.csproj" $logFilePath = "..\..\build.log" $skipCveFilePath = "..\..\skipPackagesCve.json" -if (-not (Test-Path $projectPath)) -{ - throw "Project path '$projectPath' does not exist." -} -cd $projectPath $cmd = "restore" Write-Host "dotnet $cmd" @@ -62,6 +56,4 @@ $logFileExists = Test-Path $logFilePath -PathType Leaf if ($logFileExists) { Remove-Item $logFilePath -} - -cd ../.. \ No newline at end of file +} \ No newline at end of file diff --git a/eng/ci/templates/public/jobs/build-test-public.yml b/eng/ci/templates/public/jobs/build-test-public.yml index 1424a4416..a0bf3b6d2 100644 --- a/eng/ci/templates/public/jobs/build-test-public.yml +++ b/eng/ci/templates/public/jobs/build-test-public.yml @@ -43,10 +43,11 @@ jobs: - pwsh: | .\validateWorkerVersions.ps1 displayName: 'Validate worker versions' - - pwsh: | - .\check-vulnerabilities.ps1 - displayName: "Check for security vulnerabilities" - condition: ne(variables['skipWorkerVersionValidation'], 'true') + - task: PowerShell@2 + displayName: "Run Check Vulnerabilities Script" + inputs: + filePath: './checkVulnerabilities.ps1' + workingDirectory: './src/Azure.Functions.Cli' - pwsh: | .\build.ps1 env: From b44dc270d03f1358adf96e10c15c406d852788e6 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Fri, 7 Feb 2025 09:45:43 -0800 Subject: [PATCH 08/11] changing build sched --- eng/ci/templates/public/jobs/build-test-public.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/eng/ci/templates/public/jobs/build-test-public.yml b/eng/ci/templates/public/jobs/build-test-public.yml index a0bf3b6d2..e54820634 100644 --- a/eng/ci/templates/public/jobs/build-test-public.yml +++ b/eng/ci/templates/public/jobs/build-test-public.yml @@ -7,7 +7,7 @@ jobs: timeoutInMinutes: "180" pool: name: 1es-pool-azfunc-public - image: 1es-windows-2022 + image: 1es-windows-202 os: windows variables: @@ -41,12 +41,13 @@ jobs: versionSpec: displayName: Install Nuget tool - pwsh: | + ls $(Build.SourcesDirectory) .\validateWorkerVersions.ps1 displayName: 'Validate worker versions' - task: PowerShell@2 displayName: "Run Check Vulnerabilities Script" inputs: - filePath: './checkVulnerabilities.ps1' + filePath: '$(Build.SourcesDirectory)/checkVulnerabilities.ps1' workingDirectory: './src/Azure.Functions.Cli' - pwsh: | .\build.ps1 From db40a136b58bc7c326caa302e4887ad8be3485e8 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Fri, 7 Feb 2025 10:00:52 -0800 Subject: [PATCH 09/11] my cat deleted the extra 2 by stepping on my keyboard lol --- eng/ci/templates/public/jobs/build-test-public.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eng/ci/templates/public/jobs/build-test-public.yml b/eng/ci/templates/public/jobs/build-test-public.yml index e54820634..2ed6bf3e1 100644 --- a/eng/ci/templates/public/jobs/build-test-public.yml +++ b/eng/ci/templates/public/jobs/build-test-public.yml @@ -7,7 +7,7 @@ jobs: timeoutInMinutes: "180" pool: name: 1es-pool-azfunc-public - image: 1es-windows-202 + image: 1es-windows-2022 os: windows variables: From 8ec865c06f370f61f2bf895668377815543191a8 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Fri, 7 Feb 2025 10:13:07 -0800 Subject: [PATCH 10/11] fixing typo --- eng/ci/templates/public/jobs/build-test-public.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/eng/ci/templates/public/jobs/build-test-public.yml b/eng/ci/templates/public/jobs/build-test-public.yml index 2ed6bf3e1..1313a39b9 100644 --- a/eng/ci/templates/public/jobs/build-test-public.yml +++ b/eng/ci/templates/public/jobs/build-test-public.yml @@ -41,14 +41,13 @@ jobs: versionSpec: displayName: Install Nuget tool - pwsh: | - ls $(Build.SourcesDirectory) .\validateWorkerVersions.ps1 displayName: 'Validate worker versions' - task: PowerShell@2 displayName: "Run Check Vulnerabilities Script" inputs: - filePath: '$(Build.SourcesDirectory)/checkVulnerabilities.ps1' - workingDirectory: './src/Azure.Functions.Cli' + filePath: '$(Build.SourcesDirectory)/check-vulnerabilities.ps1' + workingDirectory: '$(Build.SourcesDirectory)/src/Azure.Functions.Cli' - pwsh: | .\build.ps1 env: From d4dc6744c65518c3b8af09fc1e6440b2cc338630 Mon Sep 17 00:00:00 2001 From: Aishwarya Bhandari Date: Fri, 7 Feb 2025 10:31:59 -0800 Subject: [PATCH 11/11] update actual pipeline with working directory changes --- eng/ci/templates/official/jobs/build-test.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/eng/ci/templates/official/jobs/build-test.yml b/eng/ci/templates/official/jobs/build-test.yml index f0bda6f2a..b830ab490 100644 --- a/eng/ci/templates/official/jobs/build-test.yml +++ b/eng/ci/templates/official/jobs/build-test.yml @@ -82,9 +82,11 @@ jobs: .\validateWorkerVersions.ps1 displayName: 'Validate worker versions' condition: ne(variables['skipWorkerVersionValidation'], 'true') - - pwsh: | - .\check-vulnerabilities.ps1 - displayName: "Check for security vulnerabilities" + - task: PowerShell@2 + displayName: "Run Check Vulnerabilities Script" + inputs: + filePath: '$(Build.SourcesDirectory)/check-vulnerabilities.ps1' + workingDirectory: '$(Build.SourcesDirectory)/src/Azure.Functions.Cli' - pwsh: | .\build.ps1 env: