[ci] Add API Scan job (#9)

Context: https://devdiv.visualstudio.com/DevDiv/_wiki/wikis/DevDiv.wiki/25351/APIScan-step-by-step-guide-to-setting-up-a-Pipeline
Context: https://portal.microsofticm.com/imp/v3/incidents/incident/480553298/summary

The `APIScan@2` task has been added to pipeline runs against `main`.
This task should help us identify related issues earlier, rather than
having to wait for a full scan of VS.

Note: we rename many of the `.exe`s, e.g. rename `lld.exe` to `ld.exe`.
This prevents APIScan from finding symbol files, as APIScan appears to
check for a `.pdb` file matching the *original* filename, e.g. it needs
`lld.pdb` (original name), *not* `ld.pdb` (to match renamed `ld.exe`).

Update `package.sh` so that the original `*.pdb` filenames are copied
into `${artifacts_source_bin}`, so that APIScan can find symbols.

Author: pjcollins

build-llvm.cmd

@@ -5,7 +5,7 @@ set SOURCE_DIR=%MY_DIR%external\llvm\llvm
 set PROJECTS=lld
 set TARGETS=X86;ARM;AArch64
 set BINARIES=llvm-mc.exe llvm-strip.exe lld.exe llc.exe
-set PDBS=llvm-mc.pdb llvm-strip.pdb lld.pdb llc.pdb
+set PDBS=llvm-mc.pdb llvm-objcopy.pdb llvm-strip.pdb lld.pdb llc.pdb
 
 set HOST_BUILD_DIR=%BUILD_DIR%\%HOST%\llvm
 set HOST_BIN_DIR=%HOST_BUILD_DIR%\Release\bin
@@ -71,7 +71,7 @@ IF %ERRORLEVEL% GEQ 1 EXIT /B 5
 move %HOST_BIN_DIR%\llvm-objcopy.exe %HOST_BIN_DIR%\llvm-strip.exe
 IF %ERRORLEVEL% GEQ 1 EXIT /B 6
 
-move %HOST_BIN_DIR%\llvm-objcopy.pdb %HOST_BIN_DIR%\llvm-strip.pdb
+copy %HOST_BIN_DIR%\llvm-objcopy.pdb %HOST_BIN_DIR%\llvm-strip.pdb
 IF %ERRORLEVEL% GEQ 1 EXIT /B 7
 
 for %%b in (%BINARIES%) DO (

build-tools/automation/azure-pipelines.yml

@@ -28,6 +28,8 @@ resources:
     ref: refs/tags/release
 
 parameters:
+- name: ApiScanSourceBranch
+  default: refs/heads/main
 - name: SignArtifactsOverride
   default: false
 - name: Skip1ESComplianceTasks
@@ -44,6 +46,10 @@ variables:
     value: android-llvm-toolchain-signed
   ${{ else }}:
     value: android-llvm-toolchain-unsigned
+- name: ApiScanSoftwareName
+  value: VS
+- name: ApiScanSoftwareVersion
+  value: 17.10
 - name: TeamName
   value: XamarinAndroid
 - name: BUILD_DIR
@@ -296,3 +302,71 @@ extends:
           inputs:
             TargetFolders: $(Build.SourcesDirectory)\artifacts
             ExcludeSNVerify: true
+
+
+    - stage: Compliance
+      displayName: Compliance
+      dependsOn: package
+      condition: and(eq(dependencies.package.result, 'Succeeded'), eq(variables['Build.SourceBranch'], '${{ parameters.ApiScanSourceBranch }}'))
+      jobs:
+      - job: api_scan
+        displayName: API Scan
+        pool: $(MicroBuildPoolName)
+        timeoutInMinutes: 360
+        workspace:
+          clean: all
+        steps:
+        - task: DownloadPipelineArtifact@2
+          inputs:
+            artifactName: $(ToolchainArtifactName)
+            downloadPath: $(Build.StagingDirectory)\toolchain-zip
+
+        - task: ExtractFiles@1
+          displayName: Extract $(ToolchainArtifactName)
+          inputs:
+            archiveFilePatterns: $(Build.StagingDirectory)\**\*.zip
+            destinationFolder: $(Build.SourcesDirectory)\binutils
+
+        - task: CopyFiles@2
+          displayName: Collect Files for APIScan
+          inputs:
+            Contents: |
+              $(Build.SourcesDirectory)\binutils\windows\**\?(*.dll|*.exe|*.pdb)
+            TargetFolder: $(Agent.TempDirectory)\T
+
+        - powershell: Get-ChildItem -Path "$(Agent.TempDirectory)\T" -Recurse
+          displayName: List Files for APIScan
+
+        - task: APIScan@2
+          displayName: Run APIScan
+          inputs:
+            softwareFolder: $(Agent.TempDirectory)\T
+            symbolsFolder: 'SRV*http://symweb;$(Agent.TempDirectory)\T'
+            softwareName: $(ApiScanSoftwareName)
+            softwareVersionNum: $(ApiScanSoftwareVersion)
+            isLargeApp: true
+            toolVersion: Latest
+          env:
+            AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+
+        - task: SdtReport@2
+          displayName: Guardian Export - Security Report
+          inputs:
+            GdnExportAllTools: false
+            GdnExportGdnToolApiScan: true
+            GdnExportOutputSuppressionFile: apiscan.gdnsuppress
+
+        - task: PublishSecurityAnalysisLogs@3
+          displayName: Publish Guardian Artifacts
+          inputs:
+            ArtifactName: APIScan Logs
+            ArtifactType: Container
+            AllTools: false
+            APIScan: true
+            ToolLogsNotFoundAction: Warning
+
+        - task: PostAnalysis@2
+          displayName: Fail Build on Guardian Issues
+          inputs:
+            GdnBreakAllTools: false
+            GdnBreakGdnToolApiScan: true

package.sh

@@ -63,6 +63,8 @@ function prepare()
 		exe=".exe"
 		cmd=".cmd"
 
+		cp -P -a "${artifacts_source_bin}/llvm-objcopy.pdb" "${artifacts_dest_bin}/llvm-objcopy.pdb"
+		cp -P -a "${artifacts_source_bin}/lld.pdb" "${artifacts_dest_bin}/lld.pdb"
 		make_windows_wrapper_scripts "scripts/llvm-strip.cmd.in" "${artifacts_source_bin}" "strip"
 		make_windows_wrapper_scripts "scripts/gas.cmd.in" "${artifacts_source_bin}" "as"
 		make_windows_wrapper_scripts "scripts/ld.cmd.in" "${artifacts_source_bin}" "ld"