Binary tooling (#18726)

Author: ellahathaway

eng/pipelines/templates/jobs/vmr-build.yml

@@ -386,6 +386,7 @@ jobs:
         find artifacts/ -type f -name "*.diff" -exec rsync -R {} -t ${targetFolder} \;
         if [[ "${{ parameters.buildSourceOnly }}" == "True" ]]; then
           find artifacts/prebuilt-report/ -exec rsync -R {} -t ${targetFolder} \;
+          find artifacts/log/binary-report/ -exec rsync -R {} -t ${targetFolder} \;
         fi
         find src/ -type f -name "*.binlog" -exec rsync -R {} -t ${targetFolder} \;
         find src/ -type f -name "*.log" -exec rsync -R {} -t ${targetFolder} \;

src/SourceBuild/content/eng/prep-source-build.sh

@@ -2,8 +2,9 @@
 
 ### Usage: $0
 ###
-###   Prepares the environment for a source build by downloading Private.SourceBuilt.Artifacts.*.tar.gz and
-###   installing the version of dotnet referenced in global.json
+###   Prepares the environment for a source build by downloading Private.SourceBuilt.Artifacts.*.tar.gz,
+###   installing the version of dotnet referenced in global.json,
+###   and detecting binaries and removing any non-SB allowed binaries.
 ###
 ### Options:
 ###   --no-artifacts              Exclude the download of the previously source-built artifacts archive
@@ -15,6 +16,21 @@
 ###   --runtime-source-feed       URL of a remote server or a local directory, from which SDKs and
 ###                               runtimes can be downloaded
 ###   --runtime-source-feed-key   Key for accessing the above server, if necessary
+###
+### Binary-Tooling options:
+###   --no-binary-tooling         Don't run the binary tooling
+###   --allowed-binaries          Path to the file containing the list of known binaries that are allowed
+###                               in the VMR and can be kept for source-building.
+###                               Default is src/installer/src/VirtualMonoRepo/allowed-binaries.txt
+###   --disallowed-sb-binaries    Path to the file containing the list of known binaries that are allowed
+###                               in the VMR but cannot be kept for source-building.
+###                               Default is null.
+###   --with-sdk                  Use the SDK in the specified directory
+###                               Default is the .NET SDK
+###   --with-packages             URL or specified directory to use as the source feed for packages
+###                               Default is the previously source-built artifacts archive
+###   --no-validate               Do not run validation. Only remove the binaries.
+###   --no-clean                  Do not remove the binaries. Only run the validation.
 
 set -euo pipefail
 IFS=$'\n\t'
@@ -26,15 +42,32 @@ function print_help () {
     sed -n '/^### /,/^$/p' "$source" | cut -b 5-
 }
 
+# SB prep default arguments
 defaultArtifactsRid='centos.8-x64'
 
+# Binary Tooling default arguments
+defaultAllowedBinaries="$REPO_ROOT/src/installer/src/VirtualMonoRepo/allowed-binaries.txt"
+defaultDotnetSdk="$REPO_ROOT/.dotnet"
+defaultPackagesDir="$REPO_ROOT/prereqs/packages"
+defaultMode="All"
+
+# SB prep arguments
 buildBootstrap=true
 downloadArtifacts=true
 downloadPrebuilts=true
 installDotnet=true
 artifactsRid=$defaultArtifactsRid
 runtime_source_feed='' # IBM requested these to support s390x scenarios
 runtime_source_feed_key='' # IBM requested these to support s390x scenarios
+
+# Binary Tooling arguments
+runBinaryTool=true
+allowedBinaries=$defaultAllowedBinaries
+disallowedSbBinaries=''
+dotnetSdk=$defaultDotnetSdk
+packagesSourceFeed=$defaultPackagesDir
+mode=$defaultMode
+
 positional_args=()
 while :; do
   if [ $# -le 0 ]; then
@@ -69,6 +102,47 @@ while :; do
       runtime_source_feed_key=$2
       shift
       ;;
+    --no-binary-tooling)
+      runBinaryTool=false
+      ;;
+    --allowed-binaries)
+      allowedBinaries=$2
+      if [ ! -f "$allowedBinaries" ]; then
+        echo "Allowed binaries file '$allowedBinaries' does not exist"
+        exit 1
+      fi
+      shift
+      ;;
+    --disallowed-sb-binaries)
+      disallowedSbBinaries=$2
+      if [ ! -f "$disallowedSbBinaries" ]; then
+        echo "Disallowed source build binaries file '$disallowedSbBinaries' does not exist"
+        exit 1
+      fi
+      shift
+      ;;
+    --with-sdk)
+      dotnetSdk=$2
+      if [ ! -d "$dotnetSdk" ]; then
+        echo "Custom SDK directory '$dotnetSdk' does not exist"
+        exit 1
+      fi
+      if [ ! -x "$dotnetSdk/dotnet" ]; then
+        echo "Custom SDK '$dotnetSdk/dotnet' does not exist or is not executable"
+        exit 1
+      fi
+      shift
+      ;;
+    --with-packages)
+      packagesSourceFeed=$2
+      shift
+      ;;
+    --no-clean)
+      mode="Validate"
+      ;;
+    --no-validate)
+      mode="Clean"
+      ;;
     *)
       positional_args+=("$1")
       ;;
@@ -112,6 +186,56 @@ if [ "$installDotnet" == true ] && [ -d "$REPO_ROOT/.dotnet" ]; then
   installDotnet=false;
 fi
 
+function ParseBinaryArgs {
+  # Attempting to run the binary tooling without an SDK will fail. So either the --with-sdk flag must be passed
+  # or a pre-existing .dotnet SDK directory must exist.
+  if [ "$dotnetSdk" == "$defaultDotnetSdk" ] && [ ! -d "$dotnetSdk" ]; then
+    echo "  ERROR: A pre-existing .dotnet SDK directory is needed if --with-sdk is not provided. \
+    Please either supply an SDK using --with-sdk or execute ./eng/prep-source-build.sh before proceeding. Exiting..."
+    exit 1
+  fi
+
+  ## Attemping to run the binary tooling without a packages directory or source-feed will fail. So either the
+  ## --with-packages flag must be passed with a valid directory or a pre-existing packages directory must exist.
+  if [ "$packagesSourceFeed" == "$defaultPackagesDir" ] && [ ! -d "$packagesSourceFeed" ]; then
+    echo "  ERROR: A pre-existing packages directory is needed if --with-packages is not provided. \
+    Please either supply a packages directory using --with-packages or \
+    execute ./eng/prep-source-build.sh with download artifacts enabled before proceeding. Exiting..."
+    exit 1
+  fi
+
+  # Attempting to run the binary tooling with a custom packages feed that does not
+  # have PackageVersions.props in the packages directory or source-feed will fail.
+  if [ "$packagesSourceFeed" != "$defaultPackagesDir" ] && [ ! -f "$packagesSourceFeed/PackageVersions.props" ]; then
+    echo "  ERROR: PackageVersions.props is needed in the packages directory or source-feed. Exiting..."
+    exit 1
+  fi
+
+  # Set up the packages source feed if we're using the default artifacts
+  previouslyBuiltPackagesDir="$defaultPackagesDir/previously-source-built"
+  packageArtifacts="$defaultPackagesDir/archive/Private.SourceBuilt.Artifacts.*.tar.gz"
+  if [ "$packagesSourceFeed" == "$defaultPackagesDir" ]; then
+    if [ -d "$previouslyBuiltPackagesDir" ]; then
+      echo "  Previously source built packages directory exists..."
+      echo "  Using $previouslyBuiltPackagesDir as the source-feed for the binary tooling..."
+      packagesSourceFeed="$previouslyBuiltPackagesDir"
+    elif [ -f ${packageArtifacts} ]; then
+      echo "  Unpacking Private.SourceBuilt.Artifacts.*.tar.gz to $previouslyBuiltPackagesDir..."
+      mkdir -p "$previouslyBuiltPackagesDir"
+      tar -xzf ${packageArtifacts} -C "$previouslyBuiltPackagesDir"
+      tar -xzf ${packageArtifacts} -C "$previouslyBuiltPackagesDir" PackageVersions.props
+
+      echo "  Using $previouslyBuiltPackagesDir as the source-feed for the binary tooling..."
+      packagesSourceFeed="$previouslyBuiltPackagesDir"
+    else
+      echo "  ERROR: A pre-existing package archive is needed if --with-packages is not provided. \
+      Please either supply a source-feed using --with-packages or execute ./eng/prep-source-build.sh \
+      with download artifacts enabled before proceeding. Exiting..."
+      exit 1
+    fi
+  fi
+}
+
 function DownloadArchive {
   archiveType="$1"
   isRequired="$2"
@@ -171,6 +295,18 @@ function BootstrapArtifacts {
   rm -rf "$workingDir"
 }
 
+function RunBinaryTool {
+  BinaryTool="$REPO_ROOT/eng/tools/BinaryToolKit"
+  TargetDir="$REPO_ROOT"
+  OutputDir="$REPO_ROOT/artifacts/log/binary-report"
+
+  # Set the environment variable for the packages source feed
+  export ARTIFACTS_PATH="$packagesSourceFeed"
+
+  # Run the BinaryDetection tool
+  "$dotnetSdk/dotnet" run --project "$BinaryTool" -c Release -p PackagesPropsDirectory="$packagesSourceFeed" "$TargetDir" "$OutputDir" -ab "$allowedBinaries" -db "$disallowedSbBinaries" -m $mode -l Debug
+}
+
 # Check for the version of dotnet to install
 if [ "$installDotnet" == true ]; then
   echo "  Installing dotnet..."
@@ -189,3 +325,8 @@ fi
 if [ "$downloadPrebuilts" == true ]; then
   DownloadArchive Prebuilts false $artifactsRid
 fi
+
+if [ "$runBinaryTool" == true ]; then
+  ParseBinaryArgs
+  RunBinaryTool
+fi

src/SourceBuild/content/eng/tools/BinaryToolKit/BinaryTool.cs

@@ -0,0 +1,100 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace BinaryToolKit;
+
+public class BinaryTool
+{
+    public async Task ExecuteAsync(
+        string targetDirectory,
+        string outputReportDirectory,
+        string? allowedBinariesFile,
+        string? disallowedSbBinariesFile,
+        Modes mode)
+    {
+        DateTime startTime = DateTime.Now;
+
+        Log.LogInformation($"Starting binary tool at {startTime} in {mode} mode");
+
+        // Parse args
+        targetDirectory = GetAndValidateFullPath(
+            "TargetDirectory",
+            targetDirectory,
+            isDirectory: true,
+            createIfNotExist: false,
+            isRequired: true)!;
+        outputReportDirectory = GetAndValidateFullPath(
+            "OutputReportDirectory",
+            outputReportDirectory,
+            isDirectory: true,
+            createIfNotExist: true,
+            isRequired: true)!;
+        allowedBinariesFile = GetAndValidateFullPath(
+            "AllowedBinariesFile",
+            allowedBinariesFile,
+            isDirectory: false,
+            createIfNotExist: false,
+            isRequired: false);
+        disallowedSbBinariesFile = GetAndValidateFullPath(
+            "DisallowedSbBinariesFile",
+            disallowedSbBinariesFile,
+            isDirectory: false,
+            createIfNotExist: false,
+            isRequired: false);
+
+        // Run the tooling
+        var detectedBinaries = await DetectBinaries.ExecuteAsync(targetDirectory);
+
+        var comparedBinaries = CompareBinariesAgainstBaselines
+            .Execute(
+                detectedBinaries,
+                allowedBinariesFile,
+                disallowedSbBinariesFile,
+                outputReportDirectory,
+                targetDirectory,
+                mode);
+
+        if (mode.HasFlag(Modes.Clean))
+        {
+            RemoveBinaries.Execute(comparedBinaries, targetDirectory);
+        }
+
+        Log.LogInformation("Finished all binary tasks. Took " + (DateTime.Now - startTime).TotalSeconds + " seconds.");
+    }
+
+    private string? GetAndValidateFullPath(
+        string parameterName,
+        string? path,
+        bool isDirectory,
+        bool createIfNotExist,
+        bool isRequired)
+    {
+        if (string.IsNullOrWhiteSpace(path))
+        {
+            if (isRequired)
+            {
+                Log.LogError($"Required path for '{parameterName}' is empty or contains whitespace.");
+                Environment.Exit(1);
+            }
+            return null;
+        }
+
+        string fullPath = Path.GetFullPath(path);
+        bool exists = isDirectory ? Directory.Exists(fullPath) : File.Exists(fullPath);
+
+        if (!exists)
+        {
+            if (createIfNotExist && isDirectory)
+            {
+                Log.LogInformation($"Creating directory '{fullPath}' for '{parameterName}'.");
+                Directory.CreateDirectory(fullPath);
+            }
+            else
+            {
+                Log.LogError($"{(isDirectory ? "Directory" : "File")} '{fullPath}' for '{parameterName}' does not exist.");
+                Environment.Exit(1);
+            }
+        }
+        return fullPath;
+    }
+}

src/SourceBuild/content/eng/tools/BinaryToolKit/BinaryToolKit.csproj

@@ -0,0 +1,27 @@
+<Project Sdk="Microsoft.NET.Sdk" InitialTargets="CheckPackagesPropsDirectory">
+
+  <PropertyGroup>
+    <TargetFramework>$(NetCurrent)</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <PackagesPropsDirectory></PackagesPropsDirectory>
+    <OutputType>Exe</OutputType>
+  </PropertyGroup>
+
+  <Target Name="CheckPackagesPropsDirectory">
+    <Error Condition="'$(PackagesPropsDirectory)' == ''" Text="PackagesPropsDirectory is not set. Please pass as an MSBuild Property" />
+    <Error Condition="!Exists('$(PackagesPropsDirectory)/PackageVersions.props')" Text="PackageVersions.props does not exist in $(PackagesPropsDirectory)." />
+  </Target>
+
+  <!-- Need to condition this import because msbuild will complain about the project not being valid otherwise. -->
+  <!-- With the condition, the CheckPackagesPropsDirectory will run as expected and show the respective errors. -->
+  <Import Project="$(PackagesPropsDirectory)/PackageVersions.props" Condition="'$(PackagesPropsDirectory)' != ''" />
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.FileSystemGlobbing" Version="$(MicrosoftExtensionsFileSystemGlobbingVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging.Console" Version="$(MicrosoftExtensionsLoggingConsoleVersion)" />
+    <PackageReference Include="Microsoft.Extensions.Logging" Version="$(MicrosoftExtensionsLoggingVersion)" />
+    <PackageReference Include="System.CommandLine" Version="$(SystemCommandLineVersion)" />
+  </ItemGroup>
+
+</Project>