Add SBOM template (#1705)

andyleejordan · web-flow · commit c1235574a287 · 2022-02-14T15:00:25.000-08:00
diff --git a/.vsts-ci/templates/ci-general.yml b/.vsts-ci/templates/ci-general.yml
@@ -17,10 +17,17 @@ steps:
     filePath: tools/azurePipelinesBuild.ps1
     pwsh: ${{ parameters.pwsh }}
 
+- task: PublishTestResults@2
+  displayName: Publish test results
+  inputs:
+    testRunner: VSTest
+    testResultsFiles: '**/*.trx'
+  condition: succeededOrFailed()
+
 # NOTE: We zip the artifacts because they're ~20 MB compressed, but ~300 MB raw,
 # and we have limited pipeline artifact storage space.
 - task: ArchiveFiles@2
-  displayName: Zip pipeline artifacts
+  displayName: Zip build output
   inputs:
     rootFolderOrFile: module
     includeRootFolder: false
@@ -30,11 +37,17 @@ steps:
 
 - publish: PowerShellEditorServices-Build.zip
   artifact: PowerShellEditorServices-Build-$(System.JobId)
-  displayName: Publish unsigned pipeline artifacts
+  displayName: Publish build output archive
 
-- task: PublishTestResults@2
-  displayName: Publish test results
+- task: ArchiveFiles@2
+  displayName: Zip sources with `project.assets.json`
   inputs:
-    testRunner: VSTest
-    testResultsFiles: '**/*.trx'
-  condition: succeededOrFailed()
+    rootFolderOrFile: src
+    includeRootFolder: false
+    archiveType: zip
+    archiveFile: PowerShellEditorServices-Sources.zip
+    verbose: true
+
+- publish: PowerShellEditorServices-Sources.zip
+  artifact: PowerShellEditorServices-Sources-$(System.JobId)
+  displayName: Publish sources archive
diff --git a/.vsts-ci/templates/release-general.yml b/.vsts-ci/templates/release-general.yml
@@ -48,6 +48,23 @@ steps:
       **/Serilog*.dll
       **/UnixConsoleEcho.dll
 
+# The SBOM generation requires our original sources with the `dotnet restore`
+# produced `project.assets.json` files.
+- task: ExtractFiles@1
+  displayName: Extract source artifacts
+  inputs:
+    archiveFilePatterns: $(Pipeline.Workspace)/PowerShellEditorServices-Sources-*/PowerShellEditorServices-Sources.zip
+    destinationFolder: $(Pipeline.Workspace)/Sources
+    cleanDestinationFolder: true
+
+- template: Sbom.yml@ComplianceRepo
+  parameters:
+    BuildDropPath: $(Pipeline.Workspace)/ThirdPartySigned
+    Build_Repository_Uri: https://github.com/PowerShell/PowerShellEditorServices.git
+    packageName: PowerShellEditorServices
+    packageVersion: $(System.JobId)
+    sourceScanPath: $(Pipeline.Workspace)/Sources
+
 - task: ArchiveFiles@2
   displayName: Zip signed artifacts
   inputs:
@@ -65,8 +82,8 @@ steps:
     # binskim
     AnalyzeTarget: $(Pipeline.Workspace)/*.dll
     AnalyzeSymPath: 'SRV*'
-    # component-governance
-    sourceScanPath: $(Build.SourcesDirectory)/PowerShellEditorServices
+    # component-governance: requires the `project.assets.json` files
+    sourceScanPath: $(Pipeline.Workspace)/Sources
     # credscan
     suppressionsFile: ''
     # TermCheck AKA PoliCheck
