@@ -16,194 +16,201 @@ parameters:
1616 default : true
1717
1818jobs :
19- - job : AttackSurfaceAnalyzer
20- displayName : Attack Surface Analyzer (ASA) 🛡️
21- pool : ${{ parameters.AgentPool.Medium }}
22- timeoutInMinutes : 60
23- cancelTimeoutInMinutes : 5
24-
25- variables :
26- - template : ../variables/windows.yml
27-
28- steps :
29- - template : ../templates/checkout-shallow.yml
30-
31- - template : ../templates/prepare-js-env.yml
32-
33- - template : ../templates/set-version-vars.yml
34- parameters :
35- buildEnvironment : ${{ parameters.buildEnvironment }}
36-
37- - template : ../templates/prepare-build-env.yml
38- parameters :
39- platform : x64
40- configuration : Release
41- buildEnvironment : ${{ parameters.buildEnvironment }}
42-
43- # Install Attack Surface Analyzer CLI tool
44- - task : PowerShell@2
45- displayName : ' 🛡️ Install Attack Surface Analyzer'
46- inputs :
47- targetType : inline
48- script : |
49- Write-Host "Installing Attack Surface Analyzer (ASA) CLI tool..."
50- dotnet tool install --global Microsoft.CST.AttackSurfaceAnalyzer.CLI
51-
52- # Verify installation
53- asa --version
54- if ($LASTEXITCODE -ne 0) {
55- Write-Error "Failed to install or verify ASA"
56- exit 1
57- }
58- Write-Host "✅ ASA installed successfully"
59-
60- # Take "before" snapshot of the system
61- - task : PowerShell@2
62- displayName : ' 🛡️ ASA - Collect Before Snapshot'
63- inputs :
64- targetType : inline
65- script : |
66- Write-Host "Taking 'before' snapshot of system state..."
67- asa collect -r before --verbose
68- if ($LASTEXITCODE -ne 0) {
69- Write-Error "Failed to collect 'before' snapshot"
70- exit 1
71- }
72- Write-Host "✅ Before snapshot collected successfully"
73-
74- # Build the React Native Windows solution
75- # This simulates the "installation" that ASA will analyze
76- - template : ../templates/msbuild-sln.yml
77- parameters :
78- solutionDir : vnext
79- solutionName : Microsoft.ReactNative.sln
80- buildPlatform : x64
81- buildConfiguration : Release
82-
83- # Optional: Build NuGet packages if needed
84- # This step simulates package creation which could modify system state
85- - task : PowerShell@2
86- displayName : ' 🛡️ ASA - Simulate Package Installation'
87- inputs :
88- targetType : inline
89- script : |
90- Write-Host "Simulating package installation for ASA analysis..."
91- Write-Host "Build artifacts are in place for analysis"
92- # Note: Actual NuGet package installation would go here if needed
93- # For now, we're analyzing the build process itself
94-
95- # Take "after" snapshot of the system
96- - task : PowerShell@2
97- displayName : ' 🛡️ ASA - Collect After Snapshot'
98- inputs :
99- targetType : inline
100- script : |
101- Write-Host "Taking 'after' snapshot of system state..."
102- asa collect -r after --verbose
103- if ($LASTEXITCODE -ne 0) {
104- Write-Error "Failed to collect 'after' snapshot"
105- exit 1
106- }
107- Write-Host "✅ After snapshot collected successfully"
108-
109- # Export comparison results
110- - task : PowerShell@2
111- displayName : ' 🛡️ ASA - Export Comparison Results'
112- inputs :
113- targetType : inline
114- script : |
115- Write-Host "Comparing before and after snapshots..."
116-
117- # Create output directory for results
118- $resultsDir = "$(Build.ArtifactStagingDirectory)\ASA_Results"
119- New-Item -ItemType Directory -Force -Path $resultsDir | Out-Null
120-
121- # Export results to JSON
122- asa export-collect -f before after -o "$resultsDir\asa-comparison.json" --verbose
123- if ($LASTEXITCODE -ne 0) {
124- Write-Error "Failed to export comparison results"
125- exit 1
126- }
127-
128- # Also export to HTML for easier viewing
129- asa export-collect -f before after -o "$resultsDir\asa-comparison.html" --verbose
130-
131- Write-Host "✅ Comparison results exported successfully"
132- Write-Host "Results location: $resultsDir"
133-
134- # Analyze results and check for security issues
135- - task : PowerShell@2
136- displayName : ' 🛡️ ASA - Analyze Results'
137- inputs :
138- targetType : inline
139- script : |
140- Write-Host "Analyzing ASA results for security regressions..."
141-
142- $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
143-
144- if (-not (Test-Path $resultsFile)) {
145- Write-Error "Results file not found: $resultsFile"
146- exit 1
147- }
148-
149- # Load and analyze the results
150- $results = Get-Content $resultsFile | ConvertFrom-Json
151-
152- Write-Host "📊 ASA Analysis Summary:"
153- Write-Host "========================"
154-
155- # Count changes by category
156- $changeCount = 0
157- if ($results) {
158- if ($results.PSObject.Properties['Results']) {
159- $changeCount = $results.Results.Count
19+ # Only run ASA for SecurePullRequest builds
20+ - ${{if eq(parameters.buildEnvironment, 'SecurePullRequest')}} :
21+ - job : AttackSurfaceAnalyzer
22+ displayName : Attack Surface Analyzer (ASA) 🛡️
23+ pool : ${{ parameters.AgentPool.Medium }}
24+ timeoutInMinutes : 60
25+ cancelTimeoutInMinutes : 5
26+
27+ variables :
28+ - template : ../variables/windows.yml
29+
30+ steps :
31+ - template : ../templates/checkout-shallow.yml
32+
33+ - template : ../templates/prepare-js-env.yml
34+
35+ - template : ../templates/set-version-vars.yml
36+ parameters :
37+ buildEnvironment : ${{ parameters.buildEnvironment }}
38+
39+ - template : ../templates/prepare-build-env.yml
40+ parameters :
41+ platform : x64
42+ configuration : Release
43+ buildEnvironment : ${{ parameters.buildEnvironment }}
44+
45+ # Authenticate to NuGet feeds
46+ - task : NuGetAuthenticate@1
47+ displayName : ' 🛡️ Authenticate NuGet'
48+
49+ # Install Attack Surface Analyzer CLI tool
50+ - task : PowerShell@2
51+ displayName : ' 🛡️ Install Attack Surface Analyzer'
52+ inputs :
53+ targetType : inline
54+ script : |
55+ Write-Host "Installing Attack Surface Analyzer (ASA) CLI tool..."
56+ # Install from public NuGet.org feed
57+ dotnet tool install --global Microsoft.CST.AttackSurfaceAnalyzer.CLI --add-source https://api.nuget.org/v3/index.json
58+
59+ # Verify installation
60+ asa --version
61+ if ($LASTEXITCODE -ne 0) {
62+ Write-Error "Failed to install or verify ASA"
63+ exit 1
64+ }
65+ Write-Host "✅ ASA installed successfully"
66+
67+ # Take "before" snapshot of the system
68+ - task : PowerShell@2
69+ displayName : ' 🛡️ ASA - Collect Before Snapshot'
70+ inputs :
71+ targetType : inline
72+ script : |
73+ Write-Host "Taking 'before' snapshot of system state..."
74+ asa collect -r before --verbose
75+ if ($LASTEXITCODE -ne 0) {
76+ Write-Error "Failed to collect 'before' snapshot"
77+ exit 1
78+ }
79+ Write-Host "✅ Before snapshot collected successfully"
80+
81+ # Build the React Native Windows solution
82+ # This simulates the "installation" that ASA will analyze
83+ - template : ../templates/msbuild-sln.yml
84+ parameters :
85+ solutionDir : vnext
86+ solutionName : Microsoft.ReactNative.sln
87+ buildPlatform : x64
88+ buildConfiguration : Release
89+
90+ # Optional: Build NuGet packages if needed
91+ # This step simulates package creation which could modify system state
92+ - task : PowerShell@2
93+ displayName : ' 🛡️ ASA - Simulate Package Installation'
94+ inputs :
95+ targetType : inline
96+ script : |
97+ Write-Host "Simulating package installation for ASA analysis..."
98+ Write-Host "Build artifacts are in place for analysis"
99+ # Note: Actual NuGet package installation would go here if needed
100+ # For now, we're analyzing the build process itself
101+
102+ # Take "after" snapshot of the system
103+ - task : PowerShell@2
104+ displayName : ' 🛡️ ASA - Collect After Snapshot'
105+ inputs :
106+ targetType : inline
107+ script : |
108+ Write-Host "Taking 'after' snapshot of system state..."
109+ asa collect -r after --verbose
110+ if ($LASTEXITCODE -ne 0) {
111+ Write-Error "Failed to collect 'after' snapshot"
112+ exit 1
113+ }
114+ Write-Host "✅ After snapshot collected successfully"
115+
116+ # Export comparison results
117+ - task : PowerShell@2
118+ displayName : ' 🛡️ ASA - Export Comparison Results'
119+ inputs :
120+ targetType : inline
121+ script : |
122+ Write-Host "Comparing before and after snapshots..."
123+
124+ # Create output directory for results
125+ $resultsDir = "$(Build.ArtifactStagingDirectory)\ASA_Results"
126+ New-Item -ItemType Directory -Force -Path $resultsDir | Out-Null
127+
128+ # Export results to JSON
129+ asa export-collect -f before after -o "$resultsDir\asa-comparison.json" --verbose
130+ if ($LASTEXITCODE -ne 0) {
131+ Write-Error "Failed to export comparison results"
132+ exit 1
133+ }
134+
135+ # Also export to HTML for easier viewing
136+ asa export-collect -f before after -o "$resultsDir\asa-comparison.html" --verbose
137+
138+ Write-Host "✅ Comparison results exported successfully"
139+ Write-Host "Results location: $resultsDir"
140+
141+ # Analyze results and check for security issues
142+ - task : PowerShell@2
143+ displayName : ' 🛡️ ASA - Analyze Results'
144+ inputs :
145+ targetType : inline
146+ script : |
147+ Write-Host "Analyzing ASA results for security regressions..."
148+
149+ $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
150+
151+ if (-not (Test-Path $resultsFile)) {
152+ Write-Error "Results file not found: $resultsFile"
153+ exit 1
154+ }
155+
156+ # Load and analyze the results
157+ $results = Get-Content $resultsFile | ConvertFrom-Json
158+
159+ Write-Host "📊 ASA Analysis Summary:"
160+ Write-Host "========================"
161+
162+ # Count changes by category
163+ $changeCount = 0
164+ if ($results) {
165+ if ($results.PSObject.Properties['Results']) {
166+ $changeCount = $results.Results.Count
167+ }
168+ }
169+
170+ Write-Host "Total changes detected: $changeCount"
171+
172+ # For SDL compliance, we should review any changes
173+ # Particularly focus on:
174+ # - Registry permission changes
175+ # - File permission changes
176+ # - Service installations
177+ # - Firewall rule changes
178+ # - Certificate store modifications
179+
180+ if ($changeCount -gt 0) {
181+ Write-Host "⚠️ Changes detected during build process"
182+ Write-Host "Review the exported results for security implications"
183+ Write-Host "Results available in build artifacts: ASA_Results"
184+ } else {
185+ Write-Host "✅ No significant system changes detected"
186+ }
187+
188+ # For now, we'll treat this as informational
189+ # In production, you might want to fail on certain types of changes
190+ Write-Host "ASA analysis completed"
191+ continueOnError : ${{ parameters.complianceWarnOnly }}
192+
193+ # Publish ASA results as build artifact
194+ - task : PublishBuildArtifacts@1
195+ displayName : ' 🛡️ Publish ASA Results'
196+ inputs :
197+ PathtoPublish : ' $(Build.ArtifactStagingDirectory)\ASA_Results'
198+ ArtifactName : ' ASA_Results'
199+ publishLocation : ' Container'
200+ condition : always()
201+
202+ # Generate summary for PR
203+ - task : PowerShell@2
204+ displayName : ' 🛡️ ASA - Generate PR Summary'
205+ inputs :
206+ targetType : inline
207+ script : |
208+ Write-Host "Generating ASA summary for PR..."
209+
210+ $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
211+
212+ if (Test-Path $resultsFile) {
213+ Write-Host "##vso[task.uploadsummary]$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.html"
214+ Write-Host "✅ ASA summary will be available in PR"
160215 }
161- }
162-
163- Write-Host "Total changes detected: $changeCount"
164-
165- # For SDL compliance, we should review any changes
166- # Particularly focus on:
167- # - Registry permission changes
168- # - File permission changes
169- # - Service installations
170- # - Firewall rule changes
171- # - Certificate store modifications
172-
173- if ($changeCount -gt 0) {
174- Write-Host "⚠️ Changes detected during build process"
175- Write-Host "Review the exported results for security implications"
176- Write-Host "Results available in build artifacts: ASA_Results"
177- } else {
178- Write-Host "✅ No significant system changes detected"
179- }
180-
181- # For now, we'll treat this as informational
182- # In production, you might want to fail on certain types of changes
183- Write-Host "ASA analysis completed"
184- continueOnError : ${{ parameters.complianceWarnOnly }}
185-
186- # Publish ASA results as build artifact
187- - task : PublishBuildArtifacts@1
188- displayName : ' 🛡️ Publish ASA Results'
189- inputs :
190- PathtoPublish : ' $(Build.ArtifactStagingDirectory)\ASA_Results'
191- ArtifactName : ' ASA_Results'
192- publishLocation : ' Container'
193- condition : always()
194-
195- # Generate summary for PR
196- - task : PowerShell@2
197- displayName : ' 🛡️ ASA - Generate PR Summary'
198- inputs :
199- targetType : inline
200- script : |
201- Write-Host "Generating ASA summary for PR..."
202-
203- $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
204-
205- if (Test-Path $resultsFile) {
206- Write-Host "##vso[task.uploadsummary]$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.html"
207- Write-Host "✅ ASA summary will be available in PR"
208- }
209- condition : always()
216+ condition : always()
0 commit comments