msbuild icon indicating copy to clipboard operation
msbuild copied to clipboard
verified publisher icon dotnet

[Kitten] Onboard MSBuildLocator to APIScan (and other 1ES/TSA checks)

Open JanKrivanek opened this issue 1 year ago • 4 comments

What:

  • https://github.com/microsoft/MSBuildLocator

2 options how to enable (~~final decision will be decided within the team and communicated back~~ MicroBuild is recommended as less invasive way to onboard):

  • https://github.com/dotnet/arcade/blob/e9a8e07465adf515a595e2afde2ffe893e973838/Documentation/HowToAddSDLRunToPipeline.md
  • https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/features/sdlanalysis/overview#how-to-enable-tsa-sdl-analysis-tool

Timeline:

  • Ideally by Mar/01 we should know if there are any findings that need to be adressed

JanKrivanek avatar Feb 08 '24 08:02 JanKrivanek

~~Arcade is the preferred way~~ (just personal opinion - see discussion below for more details)

JanKrivanek avatar Feb 08 '24 08:02 JanKrivanek

I would strongly prefer to avoid Arcade personally, why do you prefer it @JanKrivanek? The minimal migration should be (internal link) https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/38953/MicroBuild-Template-Migration-(YAML)

rainersigwald avatar Feb 08 '24 15:02 rainersigwald

It's rather a personal opinion based on limited experience - so let me update the description to make it clear.

Tha being said - those were my thoughts:

  • We use arcade already in the MSBuild pipeline, so there needs to be a knowledge and maintance of that within the team already. Limiting exposure to other build kit might reduce the overal burden on team
  • Arcade is developed and actively supported by organizationaly closer team (and geographically as well for majority of us) - which makes troubleshooting issues less complicated for more junior members of the team.

But as mentioned - just a weak opinion based on lmited experience - I can be very easily wrong. Would you actually disagree with those? And can you flash advantages of MicroBuild (I'm lacking knowledge of that - so such info might help shape my opinion)?

JanKrivanek avatar Feb 08 '24 16:02 JanKrivanek

Team decision:

  • Let's use MicroBuild as it should be less invasive and less complicated way to onboard APIScan
  • Should some major complications arise during the work - let's rethink
  • We should make sure findings are automatically reported as bugs - we might need to have a TSA task for that - see TSA Onboarding for details
  • Moving to arcade can be rediscussed in future if there would be more future initiatives for "onboard to ..."

JanKrivanek avatar Feb 15 '24 15:02 JanKrivanek