Git Product home page Git Product logo

security-devops-azdevops-task-lib's Introduction

Microsoft Security DevOps AzDevOps Task Library

An Azure DevOps javascript library for running the Microsoft Security DevOps CLI.

Leveraged By

Related

Build

Preqrequisities:

Steps

  1. Install node package dependencies 
    npm install
  2. Run the build script defined in the package.json file: 
    npm run build

Build Operations

The build:

  1. Compiles the typescript in the ./src directory
  2. Outputs javascript to the ./dist directory
  3. Copies the ./package.json file to the ./dist folder

Publish

This package is hosted on this repo's package feed.

To publish a build, please see "Working with the npm registry".

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Trademarks

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

security-devops-azdevops-task-lib's People

Contributors

chrisnielsen-ms avatar davidknise avatar microsoftopensource avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar

Forkers

standardgalactic davidknise test-mass-forker-org-1 abubakrilaitan chrisnielsen-ms johnnie88 contosodfd jiandongjiang techtemi

security-devops-azdevops-task-lib's Issues

Error: Failed to install the MSDO CLI nuget package while running behind proxy

After the update to the 1.7.x version, the MicrosoftSecurityDevOps@1 started to fail in Azure DevOps self-hosted agents configured behind a proxy
It's failling in both Windows and Linux agents. The below logs are from Windows2022 agents

In previous versions, 1.6.x ,when it had dependency on dotnet, execution was fine

Example failing task

  - task: MicrosoftSecurityDevOps@1
    displayName: Secret scanner
    inputs:
      categories: 'secrets'
      break: true
      publish: true
      artifactName: CodeAnalysisLogs

Log:

##[debug]Evaluating condition for step: 'Secret scanner'
##[debug]Evaluating: SucceededNode()
##[debug]Evaluating SucceededNode:
##[debug]=> True
##[debug]Result: True
Starting: Secret scanner
==============================================================================
Task         : Microsoft Security DevOps
Description  : Run the Microsoft Security DevOps CLI for static analysis.
Version      : 1.7.2
Author       : Microsoft Corporation
Help         : Runs the [Microsoft Security DevOps CLI](https://aka.ms/msdo-nuget) for security analysis.
==============================================================================
##[debug]Using node path: C:\agent01-2\externals\node16\bin\node.exe
##[debug]agent.TempDirectory=C:\agent01-2\_work\_temp
##[debug]loading inputs and endpoints
##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
##[debug]loading INPUT_ARTIFACTNAME
##[debug]loading INPUT_BREAK
##[debug]loading INPUT_CATEGORIES
##[debug]loading INPUT_POLICY
##[debug]loading INPUT_PUBLISH
##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
##[debug]loaded 9
##[debug]Agent.ProxyUrl=http://proxy:80
##[debug]Agent.ProxyUsername=undefined
##[debug]Agent.ProxyPassword=undefined
##[debug]Agent.ProxyBypassList=[".*\\.azurewebsites\\.net",".*\\.azure\\.net"]
##[debug]expose agent proxy configuration.
##[debug]expose agent certificate configuration.
##[debug]Agent.SkipCertValidation=undefined
##[debug]config=undefined
##[debug]policy=microsoft
##[debug]categories=secrets
##[debug]languages=undefined
##[debug]tools=undefined
##[debug]publish=true
##[debug]artifactName=CodeAnalysisLogs
##[debug]break=true
##[debug]sarifFile = C:\agent01-2\_work\69\a\.gdn\msdo.sarif
------------------------------------------------------------------------------
Installing Microsoft Security DevOps Cli version: Latest
##[debug]packageName = Microsoft.Security.Devops.Cli.win-x64
##[debug]agentDirectory = C:\agent01-2\_work\_msdo
##[debug]agentPackagesDirectory = C:\agent01-2\_work\_msdo\packages
##[debug]agentVersionsDirectory = C:\agent01-2\_work\_msdo\versions
##[debug]MSDO CLI version contains a latest quantifier: Latest. Continuing with install...
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
(node:8784) Warning: Setting the NODE_TLS_REJECT_UNAUTHORIZED environment variable to '0' makes TLS connections and HTTPS requests insecure by disabling certificate verification.
(Use `node --trace-warnings ...` to show where the warning was created)
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
##[debug]MSDO_MICROSOFTSECURITYDEVOPSCLIWINX64_LATESTVERSION=undefined
##[debug]Fetching service index for: https://api.nuget.org/v3/index.json
##[debug]GET https://api.nuget.org/v3/index.json
##[debug]Error: Error calling url: Error: connect ETIMEDOUT 152.199.23.209:443
Exception occurred while initializing MSDO:
##[debug]task result: Failed
##[error]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.issue type=error;]Error: Failed to install the MSDO CLI nuget package.
##[debug]Processed: ##vso[task.complete result=Failed;]Error: Failed to install the MSDO CLI nuget package.
Finishing: Secret scanner

Decompression when requesting NuGet's `index.json` file causes unhandled error / failure

We noticed that our Azure Pipeline's Microsoft Security DevOps task was updated to v1.7.1 (from v1.6.0) between yesterday and today and started seeing an error as demonstrated in the following pictures (the first of which without verbose / debug logging, the second of which with the logging):

image

image

Furthermore, if we remove the linked lines (the ones handling decompression of the index.json from NuGet), the task proceeds properly (installing the CLI successfully).

I can provide more information if you'd (like agent information, what we're calling in our pipeline, etc.), but figured we'd want to get the ball rolling here (since the code is pretty new and we're unsure how different environments / agents will handle the problem)!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.