[ci] Migrate to the 1ES template (#135)

* [ci] Migrate to the 1ES template

Context: https://aka.ms/1espt

The build pipeline has been updated to extend the 1ES pipeline template,
which will keep the pipeline up to date with the latest compliance and
security requirements.

Compliance tasks and scans will run automatically as part of artifact
upload steps, which are now referred to as "outputs".  Template outputs
have replaced all instances of the `PublishPipelineArtifact` task.

* Use self template reference

* Test 1es-sign-artifacts yaml branch

* Set compiler/linker flags

* Test removal of xz submodule

* Update flags

* Update flags

* Test template pivot

* Add scan suppressions

* Use main templates branch

* Import more suppressions

* Bump to xz 5.4.6

* Update .gdn

* Use github.com/tukaani-project/xz

* Update suppressions path

* Update conditions and cl/link flags

* Update cl/link flags

* Update flags

* Try a different way to pass args to submodules

* Disable a warning we can't do much about

* Update gdnsuppress:

* Update build_windows, gdnsuppress

* Update gdnsuppress

* Update build images

* Install latest 7.0 sdk for test lanes

* Use latest 7.0 sdk

---------

Co-authored-by: Marek Habersack <grendel@twistedcode.net>

Author: pjcollins

.gdn/.gdnsettings

@@ -0,0 +1,7 @@
+{
+  "files": { },
+  "folders": { },
+  "overwriteLogs": true,
+  "telemetryFlushTimeout": 10,
+  "variables": { }
+}

.gdn/.gdnsuppress

@@ -0,0 +1,160 @@
+{
+  "hydrated": false,
+  "properties": {
+    "helpUri": "https://eng.ms/docs/microsoft-security/security/azure-security/cloudai-security-fundamentals-engineering/security-integration/guardian-wiki/microsoft-guardian/general/suppressions",
+    "hydrationStatus": "This file does not contain identifying data. It is safe to check into your repo. To hydrate this file with identifying data, run `guardian hydrate --help` and follow the guidance."
+  },
+  "version": "1.0.0",
+  "suppressionSets": {
+    "default": {
+      "name": "default",
+      "createdDate": "2024-02-13 23:43:02Z",
+      "lastUpdatedDate": "2024-02-15 20:19:17Z"
+    }
+  },
+  "results": {
+    "106ebf57147abe7cd400e99216306929d7fa316d10e3d30dc218c74b9bd7795e": {
+      "signature": "106ebf57147abe7cd400e99216306929d7fa316d10e3d30dc218c74b9bd7795e",
+      "alternativeSignatures": [
+        "f7e9384d5be4600dadfdbeceff23d1468f682e9d6998ce6d54f9379bbe1e535a"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Reference to an external vcpkg .ps1 file.",
+      "createdDate": "2024-02-13 23:43:02Z"
+    },
+    "cb309d5a322c6d545bc8304bc6bc21953f5d953dcc2ef54f9f66e9d2a41cd5af": {
+      "signature": "cb309d5a322c6d545bc8304bc6bc21953f5d953dcc2ef54f9f66e9d2a41cd5af",
+      "alternativeSignatures": [
+        "ff4304de20e5d510170ae65c7fe48212f33fcfa5c0a3d8a45eee175c04101153"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Suppressing BA2007 triggered by the addition of -wd4996 required to build external bzip2 dependency with /sdl flag.",
+      "createdDate": "2024-02-15 19:39:18Z"
+    },
+    "47d725f1446c35b0410c9774133d814fd3200f89bc0857bd81df4ac73ffcb90e": {
+      "signature": "47d725f1446c35b0410c9774133d814fd3200f89bc0857bd81df4ac73ffcb90e",
+      "alternativeSignatures": [
+        "4394b51c48c696764500c59f00680af353a9a744a82906347a413359f9cfd452"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Suppressing BA2007 triggered by the addition of -wd4996 required to build external bzip2 dependency with /sdl flag.",
+      "createdDate": "2024-02-15 19:39:18Z"
+    },
+    "5f3b04604481e5a1f6a33d01a244db1fc6b2fd02b3b078cf7dfe6cc04e076276": {
+      "signature": "5f3b04604481e5a1f6a33d01a244db1fc6b2fd02b3b078cf7dfe6cc04e076276",
+      "alternativeSignatures": [
+        "ba25311c4c43e2873bee240e8c4c68682272eb5bc58c97339791be287e8c96a2"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Suppressing BA2007 triggered by the addition of -wd4996 required to build external bzip2 dependency with /sdl flag.",
+      "createdDate": "2024-02-15 19:39:18Z"
+    },
+    "39b5eea31b6779ed59ae6854d2c15e17ceb93e3067a87138748fc8f02d734625": {
+      "signature": "39b5eea31b6779ed59ae6854d2c15e17ceb93e3067a87138748fc8f02d734625",
+      "alternativeSignatures": [
+        "59a87f4e078c6ab72fe39adc6139c86d18cddbcd40221114c4a683666bcaadf4"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win32 file 'example.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "4b61adeeb4b0237fbe2352c290a84dc686067351e66810c27192c6a00d9ecbc7": {
+      "signature": "4b61adeeb4b0237fbe2352c290a84dc686067351e66810c27192c6a00d9ecbc7",
+      "alternativeSignatures": [
+        "cf7a67d41e8f7415d089d7007de01417f73c41b842480682686b6b326042ef12"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win32 file 'minigzip.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "14d9bf44b59382ea3316fb01edba5c49251fac10cfa0b0e1c5e4053ea2daf7a7": {
+      "signature": "14d9bf44b59382ea3316fb01edba5c49251fac10cfa0b0e1c5e4053ea2daf7a7",
+      "alternativeSignatures": [
+        "34132c90cef21d1559d791ca3374054b3498293e9af99ebaf0a97ebdf2117359"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win32 file 'zlib.dll'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "32c95027d0378e43655c6ae1d1d94d175b5ae0a80f7a09ab5ef877c82c8613cf": {
+      "signature": "32c95027d0378e43655c6ae1d1d94d175b5ae0a80f7a09ab5ef877c82c8613cf",
+      "alternativeSignatures": [
+        "3b8cc35f6043d60895fc2b58aa0e340f26168e7276e77d32a2290ce8f52e87a7"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win64 file 'example.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "714c09b687b522c384ad4f562ad7fc22b4a3cc486f4e111da2ef9f9f7049bbd9": {
+      "signature": "714c09b687b522c384ad4f562ad7fc22b4a3cc486f4e111da2ef9f9f7049bbd9",
+      "alternativeSignatures": [
+        "c319ab28b12c0772a32e11a1b8adfbf5d31d940c26f65d547508fbbe067479c7"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win64 file 'minigzip.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "7d646d44fc117d94d024aeb65acccd6a6c78ea2f7a67a9925ec0720ca14fc16d": {
+      "signature": "7d646d44fc117d94d024aeb65acccd6a6c78ea2f7a67a9925ec0720ca14fc16d",
+      "alternativeSignatures": [
+        "b6cd355613757ef82eba700719a1957211688374b0841271340c10a65ca913ba"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/win64 file 'zlib.dll'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "075eeab70a88345e6e142f97544de5be84cb85c87ba36ec229a2a4df5d482337": {
+      "signature": "075eeab70a88345e6e142f97544de5be84cb85c87ba36ec229a2a4df5d482337",
+      "alternativeSignatures": [
+        "4cc6ffe05f61e35bd7fa57a5a4b4f82d050e684f11e15ce6eade601aa86d2b11"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/winarm64 file 'example.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "f9e7e5e304a91532f7615d252ba18ea11e52ba6eb28cd78f872a480423351256": {
+      "signature": "f9e7e5e304a91532f7615d252ba18ea11e52ba6eb28cd78f872a480423351256",
+      "alternativeSignatures": [
+        "13987557036db098921cee21a62d8dc557c4e4136a10220442388eb2f9f18607"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/winarm64 file 'minigzip.exe'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    },
+    "0ed7f92df9b8d3bf93cf6898af876e9e159b351ce0b2afeb6f153b453be5cdf9": {
+      "signature": "0ed7f92df9b8d3bf93cf6898af876e9e159b351ce0b2afeb6f153b453be5cdf9",
+      "alternativeSignatures": [
+        "d2dc95e0c5edbdb8ddf1de2e9585c7d55cc1a529edc5c3319da8ed818dc72abf"
+      ],
+      "memberOf": [
+        "default"
+      ],
+      "justification": "Unable to resolve BA2007 for external lzsbuild/deps/winarm64 file 'zlib.dll'.",
+      "createdDate": "2024-02-15 20:19:17Z"
+    }
+  }
+}

.gdn/.gitignore

@@ -0,0 +1,11 @@
+## Ignore Guardian internal files
+.r/
+rc/
+rs/
+i/
+p/
+c/
+o/
+
+## Ignore Guardian Local settings
+LocalSettings.gdn.json

.gitmodules

@@ -14,15 +14,11 @@
 	branch = master
 [submodule "external/xz"]
 	path = external/xz
-	url = https://git.tukaani.org/xz.git
-	branch = master
-
+	url = https://github.com/tukaani-project/xz
 [submodule "zlib"]
 	path = external/zlib
 	url = https://github.com/madler/zlib.git
 	branch = master
 [submodule "external/zstd"]
 	path = external/zstd
 	url = https://github.com/facebook/zstd.git
-[submodule "https://git.tukaani.org/xz.git"]
-	url = external/xz

CMakeLists.txt

@@ -228,7 +228,21 @@ if(UNIX)
     LINKER:-z,relro
     LINKER:-z,noexecstack
     LINKER:--no-undefined
-    )
+  )
+else()
+  set(COMMON_COMPILE_OPTIONS
+    /Qspectre
+    /guard:cf
+    /sdl
+    /wd4996
+  )
+
+  set(LINKER_OPTIONS
+    LINKER:/PROFILE
+    LINKER:/DYNAMICBASE
+    LINKER:/CETCOMPAT
+    LINKER:/guard:cf
+  )
 endif()
 
 if(APPLE AND BUILD_LIBZIP)
@@ -576,7 +590,6 @@ else()
     target_link_options(
       ${PROJECT_NAME}
       PRIVATE
-      /PROFILE
       /wholearchive:$<TARGET_FILE:zip>
       )
   endif()