Update dependencies from https://github.com/dotnet/arcade build 20190604.1 (#24944)

- Microsoft.DotNet.Arcade.Sdk - 1.0.0-beta.19304.1
- Microsoft.DotNet.Build.Tasks.Feed - 2.2.0-beta.19304.1
- Microsoft.DotNet.Build.Tasks.Packaging - 1.0.0-beta.19304.1
- Microsoft.DotNet.Helix.Sdk - 2.0.0-beta.19304.1

6 files changed, 278 insertions, 0 deletions

diff --git a/eng/common/sdl/NuGet.config b/eng/common/sdl/NuGet.config
new file mode 100644
index 0000000000..0c5451c114
--- /dev/null
+++ b/eng/common/sdl/NuGet.config
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <solution>
+    <add key="disableSourceControlIntegration" value="true" />
+  </solution>
+  <packageSources>
+    <clear />
+    <add key="guardian" value="https://securitytools.pkgs.visualstudio.com/_packaging/Guardian/nuget/v3/index.json" />
+  </packageSources>
+  <disabledPackageSources>
+    <clear />
+  </disabledPackageSources>
+</configuration>
diff --git a/eng/common/sdl/execute-all-sdl-tools.ps1 b/eng/common/sdl/execute-all-sdl-tools.ps1
new file mode 100644
index 0000000000..74080f22d1
--- /dev/null
+++ b/eng/common/sdl/execute-all-sdl-tools.ps1
@@ -0,0 +1,97 @@
+Param(
+  [string] $GuardianPackageName,                        # Required: the name of guardian CLI pacakge (not needed if GuardianCliLocation is specified)
+  [string] $NugetPackageDirectory,                      # Required: directory where NuGet packages are installed (not needed if GuardianCliLocation is specified)
+  [string] $GuardianCliLocation,                        # Optional: Direct location of Guardian CLI executable if GuardianPackageName & NugetPackageDirectory are not specified
+  [string] $Repository,                                 # Required: the name of the repository (e.g. dotnet/arcade)
+  [string] $BranchName="master",                        # Optional: name of branch or version of gdn settings; defaults to master
+  [string] $SourceDirectory,                            # Required: the directory where source files are located
+  [string] $ArtifactsDirectory,                         # Required: the directory where build artifacts are located
+  [string] $DncEngAccessToken,                          # Required: access token for dnceng; should be provided via KeyVault
+  [string[]] $SourceToolsList,                          # Optional: list of SDL tools to run on source code
+  [string[]] $ArtifactToolsList,                        # Optional: list of SDL tools to run on built artifacts
+  [bool] $TsaPublish=$False,                            # Optional: true will publish results to TSA; only set to true after onboarding to TSA; TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaBranchName=$env:BUILD_SOURCEBRANCHNAME,  # Optional: required for TSA publish; defaults to $(Build.SourceBranchName); TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaRepositoryName,                          # Optional: TSA repository name; will be generated automatically if not submitted; TSA is the automated framework used to upload test results as bugs.
+  [string] $BuildNumber=$env:BUILD_BUILDNUMBER,         # Optional: required for TSA publish; defaults to $(Build.BuildNumber)
+  [bool] $UpdateBaseline=$False,                        # Optional: if true, will update the baseline in the repository; should only be run after fixing any issues which need to be fixed
+  [bool] $TsaOnboard=$False,                            # Optional: if true, will onboard the repository to TSA; should only be run once; TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaInstanceUrl,                             # Optional: only needed if TsaOnboard or TsaPublish is true; the instance-url registered with TSA; TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaCodebaseName,                            # Optional: only needed if TsaOnboard or TsaPublish is true; the name of the codebase registered with TSA; TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaProjectName,                             # Optional: only needed if TsaOnboard or TsaPublish is true; the name of the project registered with TSA; TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaNotificationEmail,                       # Optional: only needed if TsaOnboard is true; the email(s) which will receive notifications of TSA bug filings (e.g. alias@microsoft.com); TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaCodebaseAdmin,                           # Optional: only needed if TsaOnboard is true; the aliases which are admins of the TSA codebase (e.g. DOMAIN\alias); TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaBugAreaPath,                             # Optional: only needed if TsaOnboard is true; the area path where TSA will file bugs in AzDO; TSA is the automated framework used to upload test results as bugs.
+  [string] $TsaIterationPath,                           # Optional: only needed if TsaOnboard is true; the iteration path where TSA will file bugs in AzDO; TSA is the automated framework used to upload test results as bugs.
+  [string] $GuardianLoggerLevel="Standard"              # Optional: the logger level for the Guardian CLI; options are Trace, Verbose, Standard, Warning, and Error
+)
+
+$ErrorActionPreference = "Stop"
+Set-StrictMode -Version 2.0
+$LASTEXITCODE = 0
+
+#Replace repo names to the format of org/repo
+if (!($Repository.contains('/'))) {
+  $RepoName = $Repository -replace '(.*?)-(.*)', '$1/$2';
+}
+else{
+  $RepoName = $Repository;
+}
+
+if ($GuardianPackageName) {
+  $guardianCliLocation = Join-Path $NugetPackageDirectory (Join-Path $GuardianPackageName (Join-Path "tools" "guardian.cmd"))
+} else {
+  $guardianCliLocation = $GuardianCliLocation
+}
+
+$ValidPath = Test-Path $guardianCliLocation
+
+if ($ValidPath -eq $False)
+{
+  Write-Host "Invalid Guardian CLI Location."
+  exit 1
+}
+
+& $(Join-Path $PSScriptRoot "init-sdl.ps1") -GuardianCliLocation $guardianCliLocation -Repository $RepoName -BranchName $BranchName -WorkingDirectory $ArtifactsDirectory -DncEngAccessToken $DncEngAccessToken -GuardianLoggerLevel $GuardianLoggerLevel
+$gdnFolder = Join-Path $ArtifactsDirectory ".gdn"
+
+if ($TsaOnboard) {
+  if ($TsaCodebaseName -and $TsaNotificationEmail -and $TsaCodebaseAdmin -and $TsaBugAreaPath) {
+    Write-Host "$guardianCliLocation tsa-onboard --codebase-name `"$TsaCodebaseName`" --notification-alias `"$TsaNotificationEmail`" --codebase-admin `"$TsaCodebaseAdmin`" --instance-url `"$TsaInstanceUrl`" --project-name `"$TsaProjectName`" --area-path `"$TsaBugAreaPath`" --iteration-path `"$TsaIterationPath`" --working-directory $ArtifactsDirectory --logger-level $GuardianLoggerLevel"
+    & $guardianCliLocation tsa-onboard --codebase-name "$TsaCodebaseName" --notification-alias "$TsaNotificationEmail" --codebase-admin "$TsaCodebaseAdmin" --instance-url "$TsaInstanceUrl" --project-name "$TsaProjectName" --area-path "$TsaBugAreaPath" --iteration-path "$TsaIterationPath" --working-directory $ArtifactsDirectory --logger-level $GuardianLoggerLevel
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host "Guardian tsa-onboard failed with exit code $LASTEXITCODE."
+      exit $LASTEXITCODE
+    }
+  } else {
+    Write-Host "Could not onboard to TSA -- not all required values ($$TsaCodebaseName, $$TsaNotificationEmail, $$TsaCodebaseAdmin, $$TsaBugAreaPath) were specified."
+    exit 1
+  }
+}
+
+if ($ArtifactToolsList -and $ArtifactToolsList.Count -gt 0) {
+  & $(Join-Path $PSScriptRoot "run-sdl.ps1") -GuardianCliLocation $guardianCliLocation -WorkingDirectory $ArtifactsDirectory -TargetDirectory $ArtifactsDirectory -GdnFolder $gdnFolder -ToolsList $ArtifactToolsList -DncEngAccessToken $DncEngAccessToken -UpdateBaseline $UpdateBaseline -GuardianLoggerLevel $GuardianLoggerLevel
+}
+if ($SourceToolsList -and $SourceToolsList.Count -gt 0) {
+  & $(Join-Path $PSScriptRoot "run-sdl.ps1") -GuardianCliLocation $guardianCliLocation -WorkingDirectory $ArtifactsDirectory -TargetDirectory $SourceDirectory -GdnFolder $gdnFolder -ToolsList $SourceToolsList -DncEngAccessToken $DncEngAccessToken -UpdateBaseline $UpdateBaseline -GuardianLoggerLevel $GuardianLoggerLevel
+}
+
+if ($UpdateBaseline) {
+  & (Join-Path $PSScriptRoot "push-gdn.ps1") -Repository $RepoName -BranchName $BranchName -GdnFolder $GdnFolder -DncEngAccessToken $DncEngAccessToken -PushReason "Update baseline"
+}
+
+if ($TsaPublish) {
+  if ($TsaBranchName -and $BuildNumber) {
+    if (-not $TsaRepositoryName) {
+      $TsaRepositoryName = "$($Repository)-$($BranchName)"
+    }
+    Write-Host "$guardianCliLocation tsa-publish --all-tools --repository-name `"$TsaRepositoryName`" --branch-name `"$TsaBranchName`" --build-number `"$BuildNumber`" --codebase-name `"$TsaCodebaseName`" --notification-alias `"$TsaNotificationEmail`" --codebase-admin `"$TsaCodebaseAdmin`" --instance-url `"$TsaInstanceUrl`" --project-name `"$TsaProjectName`" --area-path `"$TsaBugAreaPath`" --iteration-path `"$TsaIterationPath`" --working-directory $SourceDirectory --logger-level $GuardianLoggerLevel"
+    & $guardianCliLocation tsa-publish --all-tools --repository-name "$TsaRepositoryName" --branch-name "$TsaBranchName" --build-number "$BuildNumber" --codebase-name "$TsaCodebaseName" --notification-alias "$TsaNotificationEmail" --codebase-admin "$TsaCodebaseAdmin" --instance-url "$TsaInstanceUrl" --project-name "$TsaProjectName" --area-path "$TsaBugAreaPath" --iteration-path "$TsaIterationPath" --working-directory $ArtifactsDirectory  --logger-level $GuardianLoggerLevel
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host "Guardian tsa-publish failed with exit code $LASTEXITCODE."
+      exit $LASTEXITCODE
+    }
+  } else {
+    Write-Host "Could not publish to TSA -- not all required values ($$TsaBranchName, $$BuildNumber) were specified."
+    exit 1
+  }
+}
diff --git a/eng/common/sdl/init-sdl.ps1 b/eng/common/sdl/init-sdl.ps1
new file mode 100644
index 0000000000..cbf5c36a8f
--- /dev/null
+++ b/eng/common/sdl/init-sdl.ps1
@@ -0,0 +1,48 @@
+Param(
+  [string] $GuardianCliLocation,
+  [string] $Repository,
+  [string] $BranchName="master",
+  [string] $WorkingDirectory,
+  [string] $DncEngAccessToken,
+  [string] $GuardianLoggerLevel="Standard"
+)
+
+$ErrorActionPreference = "Stop"
+Set-StrictMode -Version 2.0
+$LASTEXITCODE = 0
+
+# Construct basic auth from AzDO access token; construct URI to the repository's gdn folder stored in that repository; construct location of zip file
+$encodedPat = [Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes(":$DncEngAccessToken"))
+$escapedRepository = [Uri]::EscapeDataString("/$Repository/$BranchName/.gdn")
+$uri = "https://dev.azure.com/dnceng/internal/_apis/git/repositories/sdl-tool-cfg/Items?path=$escapedRepository&versionDescriptor[versionOptions]=0&`$format=zip&api-version=5.0-preview.1"
+$zipFile = "$WorkingDirectory/gdn.zip"
+
+Add-Type -AssemblyName System.IO.Compression.FileSystem
+$gdnFolder = (Join-Path $WorkingDirectory ".gdn")
+Try
+{
+  # We try to download the zip; if the request fails (e.g. the file doesn't exist), we catch it and init guardian instead
+  Write-Host "Downloading gdn folder from internal config repostiory..."
+  Invoke-WebRequest -Headers @{ "Accept"="application/zip"; "Authorization"="Basic $encodedPat" } -Uri $uri -OutFile $zipFile
+  if (Test-Path $gdnFolder) {
+    # Remove the gdn folder if it exists (it shouldn't unless there's too much caching; this is just in case)
+    Remove-Item -Force -Recurse $gdnFolder
+  }
+  [System.IO.Compression.ZipFile]::ExtractToDirectory($zipFile, $WorkingDirectory)
+  Write-Host $gdnFolder
+} Catch [System.Net.WebException] {
+  # if the folder does not exist, we'll do a guardian init and push it to the remote repository
+  Write-Host "Initializing Guardian..."
+  Write-Host "$GuardianCliLocation init --working-directory $WorkingDirectory --logger-level $GuardianLoggerLevel"
+  & $GuardianCliLocation init --working-directory $WorkingDirectory --logger-level $GuardianLoggerLevel
+  if ($LASTEXITCODE -ne 0) {
+    Write-Error "Guardian init failed with exit code $LASTEXITCODE."
+  }
+  # We create the mainbaseline so it can be edited later
+  Write-Host "$GuardianCliLocation baseline --working-directory $WorkingDirectory --name mainbaseline"
+  & $GuardianCliLocation baseline --working-directory $WorkingDirectory --name mainbaseline
+  if ($LASTEXITCODE -ne 0) {
+    Write-Error "Guardian baseline failed with exit code $LASTEXITCODE."
+  }
+  & $(Join-Path $PSScriptRoot "push-gdn.ps1") -Repository $Repository -BranchName $BranchName -GdnFolder $gdnFolder -DncEngAccessToken $DncEngAccessToken -PushReason "Initialize gdn folder"
+}
\ No newline at end of file
diff --git a/eng/common/sdl/packages.config b/eng/common/sdl/packages.config
new file mode 100644
index 0000000000..b054737df1
--- /dev/null
+++ b/eng/common/sdl/packages.config
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.Guardian.Cli" version="0.3.2"/>
+</packages>
diff --git a/eng/common/sdl/push-gdn.ps1 b/eng/common/sdl/push-gdn.ps1
new file mode 100644
index 0000000000..cacaf8e912
--- /dev/null
+++ b/eng/common/sdl/push-gdn.ps1
@@ -0,0 +1,51 @@
+Param(
+  [string] $Repository,
+  [string] $BranchName="master",
+  [string] $GdnFolder,
+  [string] $DncEngAccessToken,
+  [string] $PushReason
+)
+
+$ErrorActionPreference = "Stop"
+Set-StrictMode -Version 2.0
+$LASTEXITCODE = 0
+
+# We create the temp directory where we'll store the sdl-config repository
+$sdlDir = Join-Path $env:TEMP "sdl"
+if (Test-Path $sdlDir) {
+  Remove-Item -Force -Recurse $sdlDir
+}
+
+Write-Host "git clone https://dnceng:`$DncEngAccessToken@dev.azure.com/dnceng/internal/_git/sdl-tool-cfg $sdlDir"
+git clone https://dnceng:$DncEngAccessToken@dev.azure.com/dnceng/internal/_git/sdl-tool-cfg $sdlDir
+if ($LASTEXITCODE -ne 0) {
+  Write-Error "Git clone failed with exit code $LASTEXITCODE."
+}
+# We copy the .gdn folder from our local run into the git repository so it can be committed
+$sdlRepositoryFolder = Join-Path (Join-Path (Join-Path $sdlDir $Repository) $BranchName) ".gdn"
+if (Get-Command Robocopy) {
+  Robocopy /S $GdnFolder $sdlRepositoryFolder
+} else {
+  rsync -r $GdnFolder $sdlRepositoryFolder
+}
+# cd to the sdl-config directory so we can run git there
+Push-Location $sdlDir
+# git add . --> git commit --> git push
+Write-Host "git add ."
+git add .
+if ($LASTEXITCODE -ne 0) {
+  Write-Error "Git add failed with exit code $LASTEXITCODE."
+}
+Write-Host "git -c user.email=`"dn-bot@microsoft.com`" -c user.name=`"Dotnet Bot`" commit -m `"$PushReason for $Repository/$BranchName`""
+git -c user.email="dn-bot@microsoft.com" -c user.name="Dotnet Bot" commit -m "$PushReason for $Repository/$BranchName"
+if ($LASTEXITCODE -ne 0) {
+  Write-Error "Git commit failed with exit code $LASTEXITCODE."
+}
+Write-Host "git push"
+git push
+if ($LASTEXITCODE -ne 0) {
+  Write-Error "Git push failed with exit code $LASTEXITCODE."
+}
+
+# Return to the original directory
+Pop-Location
\ No newline at end of file
diff --git a/eng/common/sdl/run-sdl.ps1 b/eng/common/sdl/run-sdl.ps1
new file mode 100644
index 0000000000..e6a86d03a2
--- /dev/null
+++ b/eng/common/sdl/run-sdl.ps1
@@ -0,0 +1,65 @@
+Param(
+  [string] $GuardianCliLocation,
+  [string] $WorkingDirectory,
+  [string] $TargetDirectory,
+  [string] $GdnFolder,
+  [string[]] $ToolsList,
+  [string] $UpdateBaseline,
+  [string] $GuardianLoggerLevel="Standard"
+)
+
+$ErrorActionPreference = "Stop"
+Set-StrictMode -Version 2.0
+$LASTEXITCODE = 0
+
+# We store config files in the r directory of .gdn
+Write-Host $ToolsList
+$gdnConfigPath = Join-Path $GdnFolder "r"
+$ValidPath = Test-Path $GuardianCliLocation
+
+if ($ValidPath -eq $False)
+{
+  Write-Host "Invalid Guardian CLI Location."
+  exit 1
+}
+
+foreach ($tool in $ToolsList) {
+  $gdnConfigFile = Join-Path $gdnConfigPath "$tool-configure.gdnconfig"
+  $config = $False
+  Write-Host $tool
+  # We have to manually configure tools that run on source to look at the source directory only
+  if ($tool -eq "credscan") {
+    Write-Host "$GuardianCliLocation configure --working-directory $WorkingDirectory --tool $tool --output-path $gdnConfigFile --logger-level $GuardianLoggerLevel --noninteractive --force --args `" TargetDirectory : $TargetDirectory `""
+    & $GuardianCliLocation configure --working-directory $WorkingDirectory --tool $tool --output-path $gdnConfigFile --logger-level $GuardianLoggerLevel --noninteractive --force --args " TargetDirectory : $TargetDirectory "
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host "Guardian configure for $tool failed with exit code $LASTEXITCODE."
+      exit $LASTEXITCODE
+    }
+    $config = $True
+  }
+  if ($tool -eq "policheck") {
+    Write-Host "$GuardianCliLocation configure --working-directory $WorkingDirectory --tool $tool --output-path $gdnConfigFile --logger-level $GuardianLoggerLevel --noninteractive --force --args `" Target : $TargetDirectory `""
+    & $GuardianCliLocation configure --working-directory $WorkingDirectory --tool $tool --output-path $gdnConfigFile --logger-level $GuardianLoggerLevel --noninteractive --force --args " Target : $TargetDirectory "
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host "Guardian configure for $tool failed with exit code $LASTEXITCODE."
+      exit $LASTEXITCODE
+    }
+    $config = $True
+  }
+
+  Write-Host "$GuardianCliLocation run --working-directory $WorkingDirectory --tool $tool --baseline mainbaseline --update-baseline $UpdateBaseline --logger-level $GuardianLoggerLevel --config $gdnConfigFile $config"
+  if ($config) {
+    & $GuardianCliLocation run --working-directory $WorkingDirectory --tool $tool --baseline mainbaseline --update-baseline $UpdateBaseline --logger-level $GuardianLoggerLevel --config $gdnConfigFile
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host "Guardian run for $tool using $gdnConfigFile failed with exit code $LASTEXITCODE."
+      exit $LASTEXITCODE
+    }
+  } else {
+    & $GuardianCliLocation run --working-directory $WorkingDirectory --tool $tool --baseline mainbaseline --update-baseline $UpdateBaseline --logger-level $GuardianLoggerLevel
+    if ($LASTEXITCODE -ne 0) {
+      Write-Host "Guardian run for $tool failed with exit code $LASTEXITCODE."
+      exit $LASTEXITCODE
+    }
+  }
+}
+