@@ -16,196 +16,194 @@ parameters:
1616 default : true
1717
1818jobs :
19- # Only run ASA for PullRequest and Continuous builds (not SecurePullRequest)
20- - ${{if ne(parameters.buildEnvironment, 'SecurePullRequest')}} :
21- - job : AttackSurfaceAnalyzer
22- displayName : Attack Surface Analyzer (ASA) 🛡️
23- pool : ${{ parameters.AgentPool.Medium }}
24- timeoutInMinutes : 60
25- cancelTimeoutInMinutes : 5
19+ - job : AttackSurfaceAnalyzer
20+ displayName : Attack Surface Analyzer (ASA) 🛡️
21+ pool : ${{ parameters.AgentPool.Medium }}
22+ timeoutInMinutes : 60
23+ cancelTimeoutInMinutes : 5
2624
27- variables :
28- - template : ../variables/windows.yml
25+ variables :
26+ - template : ../variables/windows.yml
2927
30- steps :
31- - template : ../templates/checkout-shallow.yml
28+ steps :
29+ - template : ../templates/checkout-shallow.yml
3230
33- - template : ../templates/prepare-js-env.yml
31+ - template : ../templates/prepare-js-env.yml
3432
35- - template : ../templates/set-version-vars.yml
36- parameters :
37- buildEnvironment : ${{ parameters.buildEnvironment }}
33+ - template : ../templates/set-version-vars.yml
34+ parameters :
35+ buildEnvironment : ${{ parameters.buildEnvironment }}
3836
39- - template : ../templates/prepare-build-env.yml
40- parameters :
41- platform : x64
42- configuration : Release
43- buildEnvironment : ${{ parameters.buildEnvironment }}
37+ - template : ../templates/prepare-build-env.yml
38+ parameters :
39+ platform : x64
40+ configuration : Release
41+ buildEnvironment : ${{ parameters.buildEnvironment }}
4442
45- # Install Attack Surface Analyzer CLI tool
46- - task : PowerShell@2
47- displayName : ' 🛡️ Install Attack Surface Analyzer'
48- inputs :
49- targetType : inline
50- script : |
51- Write-Host "Installing Attack Surface Analyzer (ASA) CLI tool..."
52- dotnet tool install --global Microsoft.CST.AttackSurfaceAnalyzer.CLI
53-
54- # Verify installation
55- asa --version
56- if ($LASTEXITCODE -ne 0) {
57- Write-Error "Failed to install or verify ASA"
58- exit 1
59- }
60- Write-Host "✅ ASA installed successfully"
43+ # Install Attack Surface Analyzer CLI tool
44+ - task : PowerShell@2
45+ displayName : ' 🛡️ Install Attack Surface Analyzer'
46+ inputs :
47+ targetType : inline
48+ script : |
49+ Write-Host "Installing Attack Surface Analyzer (ASA) CLI tool..."
50+ dotnet tool install --global Microsoft.CST.AttackSurfaceAnalyzer.CLI
51+
52+ # Verify installation
53+ asa --version
54+ if ($LASTEXITCODE -ne 0) {
55+ Write-Error "Failed to install or verify ASA"
56+ exit 1
57+ }
58+ Write-Host "✅ ASA installed successfully"
6159
62- # Take "before" snapshot of the system
63- - task : PowerShell@2
64- displayName : ' 🛡️ ASA - Collect Before Snapshot'
65- inputs :
66- targetType : inline
67- script : |
68- Write-Host "Taking 'before' snapshot of system state..."
69- asa collect -r before --verbose
70- if ($LASTEXITCODE -ne 0) {
71- Write-Error "Failed to collect 'before' snapshot"
72- exit 1
73- }
74- Write-Host "✅ Before snapshot collected successfully"
60+ # Take "before" snapshot of the system
61+ - task : PowerShell@2
62+ displayName : ' 🛡️ ASA - Collect Before Snapshot'
63+ inputs :
64+ targetType : inline
65+ script : |
66+ Write-Host "Taking 'before' snapshot of system state..."
67+ asa collect -r before --verbose
68+ if ($LASTEXITCODE -ne 0) {
69+ Write-Error "Failed to collect 'before' snapshot"
70+ exit 1
71+ }
72+ Write-Host "✅ Before snapshot collected successfully"
7573
76- # Build the React Native Windows solution
77- # This simulates the "installation" that ASA will analyze
78- - template : ../templates/msbuild-sln.yml
79- parameters :
80- solutionDir : vnext
81- solutionName : Microsoft.ReactNative.sln
82- buildPlatform : x64
83- buildConfiguration : Release
74+ # Build the React Native Windows solution
75+ # This simulates the "installation" that ASA will analyze
76+ - template : ../templates/msbuild-sln.yml
77+ parameters :
78+ solutionDir : vnext
79+ solutionName : Microsoft.ReactNative.sln
80+ buildPlatform : x64
81+ buildConfiguration : Release
8482
85- # Optional: Build NuGet packages if needed
86- # This step simulates package creation which could modify system state
87- - task : PowerShell@2
88- displayName : ' 🛡️ ASA - Simulate Package Installation'
89- inputs :
90- targetType : inline
91- script : |
92- Write-Host "Simulating package installation for ASA analysis..."
93- Write-Host "Build artifacts are in place for analysis"
94- # Note: Actual NuGet package installation would go here if needed
95- # For now, we're analyzing the build process itself
83+ # Optional: Build NuGet packages if needed
84+ # This step simulates package creation which could modify system state
85+ - task : PowerShell@2
86+ displayName : ' 🛡️ ASA - Simulate Package Installation'
87+ inputs :
88+ targetType : inline
89+ script : |
90+ Write-Host "Simulating package installation for ASA analysis..."
91+ Write-Host "Build artifacts are in place for analysis"
92+ # Note: Actual NuGet package installation would go here if needed
93+ # For now, we're analyzing the build process itself
9694
97- # Take "after" snapshot of the system
98- - task : PowerShell@2
99- displayName : ' 🛡️ ASA - Collect After Snapshot'
100- inputs :
101- targetType : inline
102- script : |
103- Write-Host "Taking 'after' snapshot of system state..."
104- asa collect -r after --verbose
105- if ($LASTEXITCODE -ne 0) {
106- Write-Error "Failed to collect 'after' snapshot"
107- exit 1
108- }
109- Write-Host "✅ After snapshot collected successfully"
95+ # Take "after" snapshot of the system
96+ - task : PowerShell@2
97+ displayName : ' 🛡️ ASA - Collect After Snapshot'
98+ inputs :
99+ targetType : inline
100+ script : |
101+ Write-Host "Taking 'after' snapshot of system state..."
102+ asa collect -r after --verbose
103+ if ($LASTEXITCODE -ne 0) {
104+ Write-Error "Failed to collect 'after' snapshot"
105+ exit 1
106+ }
107+ Write-Host "✅ After snapshot collected successfully"
110108
111- # Export comparison results
112- - task : PowerShell@2
113- displayName : ' 🛡️ ASA - Export Comparison Results'
114- inputs :
115- targetType : inline
116- script : |
117- Write-Host "Comparing before and after snapshots..."
118-
119- # Create output directory for results
120- $resultsDir = "$(Build.ArtifactStagingDirectory)\ASA_Results"
121- New-Item -ItemType Directory -Force -Path $resultsDir | Out-Null
122-
123- # Export results to JSON
124- asa export-collect -f before after -o "$resultsDir\asa-comparison.json" --verbose
125- if ($LASTEXITCODE -ne 0) {
126- Write-Error "Failed to export comparison results"
127- exit 1
128- }
129-
130- # Also export to HTML for easier viewing
131- asa export-collect -f before after -o "$resultsDir\asa-comparison.html" --verbose
132-
133- Write-Host "✅ Comparison results exported successfully"
134- Write-Host "Results location: $resultsDir"
109+ # Export comparison results
110+ - task : PowerShell@2
111+ displayName : ' 🛡️ ASA - Export Comparison Results'
112+ inputs :
113+ targetType : inline
114+ script : |
115+ Write-Host "Comparing before and after snapshots..."
116+
117+ # Create output directory for results
118+ $resultsDir = "$(Build.ArtifactStagingDirectory)\ASA_Results"
119+ New-Item -ItemType Directory -Force -Path $resultsDir | Out-Null
120+
121+ # Export results to JSON
122+ asa export-collect -f before after -o "$resultsDir\asa-comparison.json" --verbose
123+ if ($LASTEXITCODE -ne 0) {
124+ Write-Error "Failed to export comparison results"
125+ exit 1
126+ }
127+
128+ # Also export to HTML for easier viewing
129+ asa export-collect -f before after -o "$resultsDir\asa-comparison.html" --verbose
130+
131+ Write-Host "✅ Comparison results exported successfully"
132+ Write-Host "Results location: $resultsDir"
135133
136- # Analyze results and check for security issues
137- - task : PowerShell@2
138- displayName : ' 🛡️ ASA - Analyze Results'
139- inputs :
140- targetType : inline
141- script : |
142- Write-Host "Analyzing ASA results for security regressions..."
143-
144- $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
145-
146- if (-not (Test-Path $resultsFile)) {
147- Write-Error "Results file not found: $resultsFile"
148- exit 1
134+ # Analyze results and check for security issues
135+ - task : PowerShell@2
136+ displayName : ' 🛡️ ASA - Analyze Results'
137+ inputs :
138+ targetType : inline
139+ script : |
140+ Write-Host "Analyzing ASA results for security regressions..."
141+
142+ $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
143+
144+ if (-not (Test-Path $resultsFile)) {
145+ Write-Error "Results file not found: $resultsFile"
146+ exit 1
147+ }
148+
149+ # Load and analyze the results
150+ $results = Get-Content $resultsFile | ConvertFrom-Json
151+
152+ Write-Host "📊 ASA Analysis Summary:"
153+ Write-Host "========================"
154+
155+ # Count changes by category
156+ $changeCount = 0
157+ if ($results) {
158+ if ($results.PSObject.Properties['Results']) {
159+ $changeCount = $results.Results.Count
149160 }
150-
151- # Load and analyze the results
152- $results = Get-Content $resultsFile | ConvertFrom-Json
153-
154- Write-Host "📊 ASA Analysis Summary:"
155- Write-Host "========================"
156-
157- # Count changes by category
158- $changeCount = 0
159- if ($results) {
160- if ($results.PSObject.Properties['Results']) {
161- $changeCount = $results.Results.Count
162- }
163- }
164-
165- Write-Host "Total changes detected: $changeCount"
166-
167- # For SDL compliance, we should review any changes
168- # Particularly focus on:
169- # - Registry permission changes
170- # - File permission changes
171- # - Service installations
172- # - Firewall rule changes
173- # - Certificate store modifications
174-
175- if ($changeCount -gt 0) {
176- Write-Host "⚠️ Changes detected during build process"
177- Write-Host "Review the exported results for security implications"
178- Write-Host "Results available in build artifacts: ASA_Results"
179- } else {
180- Write-Host "✅ No significant system changes detected"
181- }
182-
183- # For now, we'll treat this as informational
184- # In production, you might want to fail on certain types of changes
185- Write-Host "ASA analysis completed"
186- continueOnError : ${{ parameters.complianceWarnOnly }}
161+ }
162+
163+ Write-Host "Total changes detected: $changeCount"
164+
165+ # For SDL compliance, we should review any changes
166+ # Particularly focus on:
167+ # - Registry permission changes
168+ # - File permission changes
169+ # - Service installations
170+ # - Firewall rule changes
171+ # - Certificate store modifications
172+
173+ if ($changeCount -gt 0) {
174+ Write-Host "⚠️ Changes detected during build process"
175+ Write-Host "Review the exported results for security implications"
176+ Write-Host "Results available in build artifacts: ASA_Results"
177+ } else {
178+ Write-Host "✅ No significant system changes detected"
179+ }
180+
181+ # For now, we'll treat this as informational
182+ # In production, you might want to fail on certain types of changes
183+ Write-Host "ASA analysis completed"
184+ continueOnError : ${{ parameters.complianceWarnOnly }}
187185
188- # Publish ASA results as build artifact
189- - task : PublishBuildArtifacts@1
190- displayName : ' 🛡️ Publish ASA Results'
191- inputs :
192- PathtoPublish : ' $(Build.ArtifactStagingDirectory)\ASA_Results'
193- ArtifactName : ' ASA_Results'
194- publishLocation : ' Container'
195- condition : always()
186+ # Publish ASA results as build artifact
187+ - task : PublishBuildArtifacts@1
188+ displayName : ' 🛡️ Publish ASA Results'
189+ inputs :
190+ PathtoPublish : ' $(Build.ArtifactStagingDirectory)\ASA_Results'
191+ ArtifactName : ' ASA_Results'
192+ publishLocation : ' Container'
193+ condition : always()
196194
197- # Generate summary for PR
198- - task : PowerShell@2
199- displayName : ' 🛡️ ASA - Generate PR Summary'
200- inputs :
201- targetType : inline
202- script : |
203- Write-Host "Generating ASA summary for PR..."
204-
205- $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
206-
207- if (Test-Path $resultsFile) {
208- Write-Host "##vso[task.uploadsummary]$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.html"
209- Write-Host "✅ ASA summary will be available in PR"
210- }
211- condition : always()
195+ # Generate summary for PR
196+ - task : PowerShell@2
197+ displayName : ' 🛡️ ASA - Generate PR Summary'
198+ inputs :
199+ targetType : inline
200+ script : |
201+ Write-Host "Generating ASA summary for PR..."
202+
203+ $resultsFile = "$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.json"
204+
205+ if (Test-Path $resultsFile) {
206+ Write-Host "##vso[task.uploadsummary]$(Build.ArtifactStagingDirectory)\ASA_Results\asa-comparison.html"
207+ Write-Host "✅ ASA summary will be available in PR"
208+ }
209+ condition : always()
0 commit comments