58217464 - Enable EO-compliant PREfast and Compiler Warning Checks for the WinAppSDK repo (#5611)

* Update WindowsAppSDK-Build-Per-Platform-Stage.yml

* Update WindowsAppSDK-Build-Stage.yml

* Update WindowsAppSDK-BuildFoundation-AnyCPU-Steps.yml

* Update WindowsAppSDK-BuildFoundation-Steps.yml

* Update WindowsAppSDK-BuildMRT-Steps.yml

* Update WindowsAppSDK-CommonVariables.yml

* Update WindowsAppSDK-BuildInstaller-Steps.yml

* Update WindowsAppSDK-BuildVSIX-Steps.yml

* Update WindowsAppSDK-BuildVSIX-Stage.yml

* Update WindowsAppSDK-BuildInstaller-Stage.yml

* Update WindowsAppSDK-BuildInstaller-Stage.yml

* Update WindowsAppSDK-BuildInstaller-Steps.yml

Author: alexlamtest

build/AzurePipelinesTemplates/WindowsAppSDK-Build-Per-Platform-Stage.yml

@@ -78,6 +78,12 @@ stages:
         value: $[coalesce(variables.compilerOverridePackageVersion, variables.global_CompilerOverridePackageVersion)]
       - name: localCompilerOverrideNupkgVersion
         value: $[coalesce(variables.compilerOverrideNupkgVersion, variables.global_CompilerOverrideNupkgVersion)]    
+      - name: ob_sdl_checkCompliantCompilerWarnings
+        value: true # This setting has no effect unless ob_sdl_msbuildOverride below is also set to true.
+      - name: ob_sdl_prefast_runDuring
+        value: 'Guardian' # The default 'Build' setting does not match the fact that we are calling msbuild.exe directly.
+      - name: ob_sdl_msbuildOverride
+        value: true # Because we are calling MSBuild directly instead of through the MSBuild@1 or VSBuild@1 tasks. 
     steps:
     - script: |
         echo Build.SourceBranch=$(Build.SourceBranch)
@@ -91,6 +97,9 @@ stages:
         echo localCompilerOverrideNupkgVersion=$(localCompilerOverrideNupkgVersion)
         echo System.PullRequest.targetBranchName=$(System.PullRequest.targetBranchName)
         echo mySourceBranch=$(mySourceBranch)        
+        echo ob_sdl_msbuildOverride=$(ob_sdl_msbuildOverride)
+        echo ob_sdl_prefast_runDuring=$(ob_sdl_prefast_runDuring)
+        echo ob_sdl_checkCompliantCompilerWarnings=$(ob_sdl_checkCompliantCompilerWarnings)
 
     - template: WindowsAppSDK-BuildFoundation-Steps.yml@self
       parameters:
@@ -99,13 +108,6 @@ stages:
         runApiScan: ${{ parameters.runApiScan }}
         runPREfast: ${{ parameters.runPREfast }}
 
-    # This is a temporarily workaround to avoid getting non-fatal "folder C:\__t\NativeCompilerPrefast not found"
-    # errors from the Guardian PREfast task, which shouldn't even be run in the first place, because its pre-
-    # requisite of isNative=true isn't met currently.
-    - script: |
-        md "C:\__t\NativeCompilerPrefast"
-      displayName: 'Creating C:\__t\NativeCompilerPrefast to prevent errors from Guardian PREfast'
-
   - job: BuildMRT
     pool:
       # read more about custom job pool types at https://aka.ms/obpipelines/yaml/jobs
@@ -161,6 +163,12 @@ stages:
         value: $[coalesce(variables.compilerOverridePackageVersion, variables.global_CompilerOverridePackageVersion)]
       - name: localCompilerOverrideNupkgVersion
         value: $[coalesce(variables.compilerOverrideNupkgVersion, variables.global_CompilerOverrideNupkgVersion)]    
+      - name: ob_sdl_checkCompliantCompilerWarnings
+        value: true # This setting has no effect unless ob_sdl_msbuildOverride below is also set to true.
+      - name: ob_sdl_prefast_runDuring
+        value: 'Guardian' # The default 'Build' setting does not match the fact that we are calling msbuild.exe directly.
+      - name: ob_sdl_msbuildOverride
+        value: true # Because we are calling MSBuild directly instead of through the MSBuild@1 or VSBuild@1 tasks. 
     steps:
     - script: |
         echo Build.SourceBranch=$(Build.SourceBranch)
@@ -174,6 +182,9 @@ stages:
         echo localCompilerOverrideNupkgVersion=$(localCompilerOverrideNupkgVersion)
         echo System.PullRequest.targetBranchName=$(System.PullRequest.targetBranchName)
         echo mySourceBranch=$(mySourceBranch)        
+        echo ob_sdl_msbuildOverride=$(ob_sdl_msbuildOverride)
+        echo ob_sdl_prefast_runDuring=$(ob_sdl_prefast_runDuring)
+        echo ob_sdl_checkCompliantCompilerWarnings=$(ob_sdl_checkCompliantCompilerWarnings)
 
     - template: WindowsAppSDK-BuildMRT-Steps.yml@self
       parameters:
@@ -182,13 +193,6 @@ stages:
         runPREfast : ${{ parameters.runPREfast }}
         runApiScan : ${{ parameters.runApiScan }}
 
-    # This is a temporarily workaround to avoid getting non-fatal "folder C:\__t\NativeCompilerPrefast not found"
-    # errors from the Guardian PREfast task, which shouldn't even be run in the first place, because its pre-
-    # requisite of isNative=true isn't met currently.
-    - script: |
-        md "C:\__t\NativeCompilerPrefast"
-      displayName: 'Creating C:\__t\NativeCompilerPrefast to prevent errors from Guardian PREfast'
-
   - job: ExtractMatrix
     pool:
       type: windows

build/AzurePipelinesTemplates/WindowsAppSDK-Build-Stage.yml

@@ -59,20 +59,16 @@ stages:
         ob_sdl_apiscan_enabled: false
       ob_sdl_apiscan_softwareFolder: '$(build.SourcesDirectory)\BuildOutput\Release\AnyCPU'
       ob_sdl_apiscan_symbolsFolder: '$(build.SourcesDirectory)\BuildOutput\Release\AnyCPU;SRV*https://symweb.azurefd.net'
+      ob_sdl_checkCompliantCompilerWarnings: true # This setting has no effect unless ob_sdl_msbuildOverride below is also set to true.
+      ob_sdl_prefast_runDuring: 'Guardian' # The default 'Build' setting does not match the fact that we are calling msbuild.exe directly.
+      ob_sdl_msbuildOverride: true # Because we are calling MSBuild directly instead of through the MSBuild@1 or VSBuild@1 tasks.       
     steps:
     - template: WindowsAppSDK-BuildFoundation-AnyCPU-Steps.yml@self
       parameters:
         SignOutput: ${{ parameters.SignOutput }}
         IsOneBranch: ${{ parameters.IsOneBranch }}
         runPREfast : ${{ parameters.runPREfast }}
 
-    # This is a temporarily workaround to avoid getting non-fatal "folder C:\__t\NativeCompilerPrefast not found"
-    # errors from the Guardian PREfast task, which shouldn't even be run in the first place, because its pre-
-    # requisite of isNative=true isn't met currently.
-    - script: |
-        md "C:\__t\NativeCompilerPrefast"
-      displayName: 'Creating C:\__t\NativeCompilerPrefast to prevent errors from Guardian PREfast'
-
 # extract BuildFoundation and BuildMRT into WindowsAppSDK-Build-Stage-Per-Platform.yml. Separate the build stage per platform
 
 - template: WindowsAppSDK-Build-Per-Platform-Stage.yml@self

build/AzurePipelinesTemplates/WindowsAppSDK-BuildFoundation-AnyCPU-Steps.yml

@@ -39,6 +39,9 @@ steps:
       # Generally speaking, we leave it to the external repos to scan the bits in their packages.
       excludedPaths: |
         $(Build.SourcesDirectory)\packages
+      # Explicitly specify the EO-compliant rule set, as the default Sdl.Recommended.Warning.ruleset is not EO-compliant.
+      rulesetName: Custom
+      customRuleset: $(Agent.ToolsDirectory)\NativeCompilerStaticAnalysisRuleset\mandatory_to_fix.ruleset
     continueOnError: true
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
@@ -77,4 +80,4 @@ steps:
   - task: PublishBuildArtifacts@1
     inputs:
       PathtoPublish: '$(ob_outputDirectory)'
-      artifactName: '$(ob_artifactBaseName)'
+      artifactName: '$(ob_artifactBaseName)'

build/AzurePipelinesTemplates/WindowsAppSDK-BuildFoundation-Steps.yml

@@ -85,6 +85,9 @@ steps:
       # Generally speaking, we leave it to the external repos to scan the bits in their packages.
       excludedPaths: |
         $(Agent.ToolsDirectory)\uCRT\#$(Build.SourcesDirectory)\obj\$(buildConfiguration)\$(buildPlatform)#$(Build.SourcesDirectory)\packages
+      # Explicitly specify the EO-compliant rule set, as the default Sdl.Recommended.Warning.ruleset is not EO-compliant.
+      rulesetName: Custom
+      customRuleset: $(Agent.ToolsDirectory)\NativeCompilerStaticAnalysisRuleset\mandatory_to_fix.ruleset
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
     continueOnError: true

build/AzurePipelinesTemplates/WindowsAppSDK-BuildInstaller-Stage.yml

@@ -40,6 +40,12 @@ stages:
         value: $[coalesce(variables.compilerOverridePackageVersion, variables.global_CompilerOverridePackageVersion)]
       - name: localCompilerOverrideNupkgVersion
         value: $[coalesce(variables.compilerOverrideNupkgVersion, variables.global_CompilerOverrideNupkgVersion)]
+      - name: ob_sdl_checkCompliantCompilerWarnings
+        value: true
+      - name: ob_sdl_prefast_runDuring
+        value: 'Build'
+      - name: ob_sdl_msbuildOverride
+        value: true
     condition: ne(variables.LatestOfficialBuildID, '')
     steps:
     - script: |
@@ -52,7 +58,9 @@ stages:
         echo localCompilerOverridePackageName=$(localCompilerOverridePackageName)
         echo localCompilerOverridePackageVersion=$(localCompilerOverridePackageVersion)
         echo localCompilerOverrideNupkgVersion=$(localCompilerOverrideNupkgVersion)
-        echo System.PullRequest.targetBranchName=$(System.PullRequest.targetBranchName)      
-        echo mySourceBranch=$(mySourceBranch)       
-        
+        echo System.PullRequest.targetBranchName=$(System.PullRequest.targetBranchName)         
+        echo ob_sdl_checkCompliantCompilerWarnings=$(ob_sdl_checkCompliantCompilerWarnings)       
+        echo ob_sdl_prefast_runDuring=$(ob_sdl_prefast_runDuring)       
+        echo ob_sdl_msbuildOverride=$(ob_sdl_msbuildOverride)       
+
     - template: WindowsAppSDK-BuildInstaller-Steps.yml@self

build/AzurePipelinesTemplates/WindowsAppSDK-BuildInstaller-Steps.yml

@@ -224,19 +224,24 @@ steps:
     ${{ if eq( parameters.runStaticAnalysis, 'true') }}:
       createLogFile: true
 
-- ${{ if eq(parameters.runStaticAnalysis, 'true') }}:
-  - task: SDLNativeRules@3
-    condition: and(succeeded(), eq(variables['buildConfiguration'], 'Release'), eq(variables['buildPlatform'], 'x64'))
-    displayName: Run the PREfast SDL Native Rules
-    inputs:
-      userProvideBuildInfo: auto
-      toolVersion: Latest
-      # Generally speaking, we leave it to the external repos to scan the bits in their packages.
-      excludedPaths: |
-        $(Build.SourcesDirectory)\packages
-    continueOnError: true
-    env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+# The VSBuild@1 task above seems to be able to do inline PREfast scanning with the EO-compliant ruleset now. So, we don't seem to
+# need the following any more. Commenting it out for now and observe a bit more. Remove it when we feel comfortable.
+#- ${{ if eq(parameters.runStaticAnalysis, 'true') }}:
+#  - task: SDLNativeRules@3
+#    condition: and(succeeded(), eq(variables['buildConfiguration'], 'Release'), eq(variables['buildPlatform'], 'x64'))
+#    displayName: Run the PREfast SDL Native Rules
+#    inputs:
+#      userProvideBuildInfo: auto
+#      toolVersion: Latest
+#      # Generally speaking, we leave it to the external repos to scan the bits in their packages.
+#      excludedPaths: |
+#        $(Build.SourcesDirectory)\packages
+#      # Explicitly specify the EO-compliant rule set, as the default Sdl.Recommended.Warning.ruleset is not EO-compliant.
+#      rulesetName: Custom
+#      customRuleset: $(Agent.ToolsDirectory)\NativeCompilerStaticAnalysisRuleset\mandatory_to_fix.ruleset
+#    continueOnError: true
+#    env:
+#      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
 
 - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
   displayName: 'Component Governance Detection'

build/AzurePipelinesTemplates/WindowsAppSDK-BuildMRT-Steps.yml

@@ -46,6 +46,9 @@ steps:
       # Generally speaking, we leave it to the external repos to scan the bits in their packages.
       excludedPaths: |
         $(Build.SourcesDirectory)\packages
+      # Explicitly specify the EO-compliant rule set, as the default Sdl.Recommended.Warning.ruleset is not EO-compliant.
+      rulesetName: Custom
+      customRuleset: $(Agent.ToolsDirectory)\NativeCompilerStaticAnalysisRuleset\mandatory_to_fix.ruleset
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
     continueOnError: true

build/AzurePipelinesTemplates/WindowsAppSDK-BuildVSIX-Stage.yml

@@ -17,6 +17,9 @@ stages:
       # it is not under $(Build.SourcesDirectory)\WindowsAppSDK
       foundationRepoPath: ""
       buildConfiguration: "Release"
+      ob_sdl_checkCompliantCompilerWarnings: true
+      ob_sdl_prefast_runDuring: 'Build'
+      ob_sdl_msbuildOverride: true
     condition: ne(variables.LatestOfficialBuildID, '')
     steps:
     - template: WindowsAppSDK-BuildVSIX-Steps.yml@self

build/AzurePipelinesTemplates/WindowsAppSDK-BuildVSIX-Steps.yml

@@ -118,6 +118,9 @@ steps:
       # Generally speaking, we leave it to the external repos to scan the bits in their packages.
       excludedPaths: |
         $(Build.SourcesDirectory)\packages
+      # Explicitly specify the EO-compliant rule set, as the default Sdl.Recommended.Warning.ruleset is not EO-compliant.
+      rulesetName: Custom
+      customRuleset: $(Agent.ToolsDirectory)\NativeCompilerStaticAnalysisRuleset\mandatory_to_fix.ruleset
     continueOnError: true
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
@@ -150,6 +153,9 @@ steps:
       # Generally speaking, we leave it to the external repos to scan the bits in their packages.
       excludedPaths: |
         $(Build.SourcesDirectory)\packages
+      # Explicitly specify the EO-compliant rule set, as the default Sdl.Recommended.Warning.ruleset is not EO-compliant.
+      rulesetName: Custom
+      customRuleset: $(Agent.ToolsDirectory)\NativeCompilerStaticAnalysisRuleset\mandatory_to_fix.ruleset
     continueOnError: true
     env:
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)

build/WindowsAppSDK-CommonVariables.yml

@@ -26,6 +26,10 @@ variables:
   # Use the following corresponding version string instead of the above when calling nuget install directly.
   compilerOverrideNupkgVersion: ""
 
+  ob_sdl_checkCompliantCompilerWarnings: true
+  ob_sdl_prefast_runDuring: 'Guardian'
+  ob_sdl_msbuildOverride: true
+
   # Docker image which is used to build the project https://aka.ms/obpipelines/containers
   WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2019/vse2022:latest'