Skip to content

[release/3.x] Fix SDL error reporting #7654

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
premun merged 5 commits into from
Jul 26, 2021
Merged

[release/3.x] Fix SDL error reporting #7654

premun merged 5 commits into from
Jul 26, 2021

Conversation

@lpatalas
Copy link
Contributor

@lpatalas lpatalas commented Jul 21, 2021
edited
Loading

Description

Related issue: #7616

This PR introduces following changes:

  • Fail the build step when SDL reports errors - there were two problems:
    • We were shadowing $LASTEXITCODE variable by calling $LASTEXITCODE = 0 at the beginning of scripts. It should be $global:LASTEXITCODE = 0.
    • We were not checking exit code from child scripts. I fixed it by changing Write-Host to Write-Error where appropriate.
  • Remove Microsoft.DotNet.XUnitRunnerUap_TemporaryKey.pfx certificate that SDL reports as vulnerability
    • This certificate is expired and probably not used anymore. We've already removed it on main.

Example build: https://dev.azure.com/dnceng/internal/_build/results?buildId=1250730
Example build that failed because of SDL error: https://dev.azure.com/dnceng/internal/_build/results?buildId=1248474

Customer Impact

Without fixing the error handling we may miss security issues reported by the SDL scanner.

Regression

There can be possible changes in behavior because we were ignoring all errors in SDL step before. Now they will fail the build.

Risk

The biggest risk is that fixing the error handling will make pipelines fail on SDL stage because of errors that we previously silently ignored.

Workarounds

If our target is to fail the build on SDL errors then I believe this the minimal amount of changes we have to make. The alternative is to keep track of the issues manually but this seems impractical in the long term.

MattGal
MattGal reviewed Jul 21, 2021
View reviewed changes
eng/common/sdl/push-gdn.ps1
@@ -36,16 +36,26 @@ git add .
if ($LASTEXITCODE -ne 0) {
Copy link
Member

@MattGal MattGal Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is leaving this as not $global:LASTEXITCODE intentional?

Copy link
Contributor Author

@lpatalas lpatalas Jul 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, the only problem is setting $LASTEXITCODE. We could change every instance to $global:LASTEXITCODE to be on the safe side but I think it's an overkill.

MattGal
MattGal approved these changes Jul 21, 2021
View reviewed changes
Copy link
Member

@MattGal MattGal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Signing off as changes seem reasonable but I'd like to see a run where this properly fails, since that's called out in the original issue.

@lpatalas
Copy link
Contributor Author

lpatalas commented Jul 21, 2021

@MattGal I've linked two example builds in the description.

@MattGal
Copy link
Member

MattGal commented Jul 21, 2021

@MattGal I've linked two example builds in the description.

Thanks, I didn't realize the 2nd one was with this change.

@lpatalas lpatalas mentioned this pull request Jul 21, 2021
Closed
3 tasks
@riarenas riarenas requested review from markwilkie and mmitche July 21, 2021 17:48
riarenas
riarenas approved these changes Jul 21, 2021
View reviewed changes
Copy link
Contributor

@riarenas riarenas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good to me. But this is a behavior change that might impact repos (we were hiding these errors when found), so I would look for approval from @mmitche or @markwilkie. They might have additional thoughts. Also, could you fill out the template in your PR description for changes to the release branches? https://github.com/dotnet/arcade/blob/main/Documentation/Policy/AskModeTellModeTemplate.md

@lpatalas
Copy link
Contributor Author

lpatalas commented Jul 22, 2021

Thanks for the comments @riarenas. I have updated the description based on the template.

@lpatalas
Copy link
Contributor Author

lpatalas commented Jul 23, 2021
edited
Loading

This PR should be ready. It's waiting only for approvals. I also have the same changes prepared for release/5.0 on the separate branch: https://github.com/dotnet/arcade/tree/lupatala/fix-sdl-5.0. We may want to also merge them after 3.x is done.

@lpatalas lpatalas changed the title Fix SDL error reporting in release/3.x [release/3.x] Fix SDL error reporting Jul 23, 2021
@lpatalas lpatalas mentioned this pull request Jul 23, 2021
Merged
@premun
Copy link
Member

premun commented Jul 26, 2021
edited
Loading

@mmitche @markwilkie can we get a sign-off on this backport?
(5.0 is merged already: #7661)

@premun premun merged commit c444d79 into release/3.x Jul 26, 2021
@premun premun deleted the lupatala/fix-cg-3.x branch July 26, 2021 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MattGal MattGal MattGal approved these changes

@mmitche mmitche mmitche approved these changes

@ViktorHofer ViktorHofer Awaiting requested review from ViktorHofer

@markwilkie markwilkie Awaiting requested review from markwilkie

+1 more reviewer

@riarenas riarenas riarenas approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@lpatalas @MattGal @premun @mmitche @riarenas