From f2eadec17cde422b9f2fb6eb9df42628dccd2f9c Mon Sep 17 00:00:00 2001
From: Chidozie Ononiwu <chononiw@microsoft.com>
Date: Fri, 17 Sep 2021 17:06:06 -0700
Subject: [PATCH] Add PoliCheck

---
 .../policheck/PolicheckExclusions.xml         |  11 ++
 eng/pipelines/aggregate-reports.yml           | 155 +++++++++++-------
 2 files changed, 111 insertions(+), 55 deletions(-)
 create mode 100644 eng/guardian-tools/policheck/PolicheckExclusions.xml

diff --git a/eng/guardian-tools/policheck/PolicheckExclusions.xml b/eng/guardian-tools/policheck/PolicheckExclusions.xml
new file mode 100644
index 000000000000..30088d44c126
--- /dev/null
+++ b/eng/guardian-tools/policheck/PolicheckExclusions.xml
@@ -0,0 +1,11 @@
+<PoliCheckExclusions>
+<!-- Each of these exclusions is a folder name - if \[name]\ exists in the file path, it will be skipped -->
+<!--<Exclusion Type="FolderPathFull">ABC|XYZ</Exclusion>-->
+<!-- Each of these exclusions is a folder name - if any folder or file starts with "\[name]", it will be 
+skipped -->
+<!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+<!-- Each of these file types will be completely skipped for the entire scan -->
+<!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+<!-- The specified file names will be skipped during the scan regardless which folder they are in -->
+<!--<Exclusion Type="FileName">ABC.TXT|XYZ.CS</Exclusion>-->
+</PoliCheckExclusions>
diff --git a/eng/pipelines/aggregate-reports.yml b/eng/pipelines/aggregate-reports.yml
index 4c40cfcf7b4b..2aa8b4923389 100644
--- a/eng/pipelines/aggregate-reports.yml
+++ b/eng/pipelines/aggregate-reports.yml
@@ -8,60 +8,105 @@ pr:
     include:
       - eng/pipelines/aggregate-reports.yml
 
-jobs:
-- job: 'ValidateDependencies'
-  variables:
+pool:
+  name: azsdk-pool-mms-win-2019-general
+  vmImage: MMS2019
+
+variables:
   - template: ./templates/variables/globals.yml
 
-  pool:
-    name: azsdk-pool-mms-win-2019-general
-    vmImage: MMS2019
-
-  steps:
-  - template: /eng/pipelines/templates/steps/analyze_dependency.yml
-
-  - task: AzureFileCopy@2
-    displayName: 'Upload dependency report'
-    condition: and(succeededOrFailed(), eq(variables['System.TeamProject'], 'internal'))
-    inputs:
-      sourcePath: '$(Build.ArtifactStagingDirectory)/reports'
-      azureSubscription: 'Azure SDK Artifacts'
-      destination: AzureBlob
-      storage: azuresdkartifacts
-      containerName: 'azure-sdk-for-python'
-      blobPrefix: dependencies
-
-  - task: PowerShell@2
-    displayName: "Verify Repository Resource Refs"
-    inputs:
-      pwsh: true
-      workingDirectory: $(Build.SourcesDirectory)
-      filePath: eng/common/scripts/Verify-Resource-Ref.ps1
-
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
-    displayName: 'Run CredScan'
-    condition: succeededOrFailed()
-    inputs:
-      suppressionsFile: 'eng\CredScanSuppression.json'
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
-    displayName: 'Post Analysis'
-    condition: succeededOrFailed()
-    inputs:
-      GdnBreakAllTools: false
-      GdnBreakGdnToolCredScan: true
-      GdnBreakGdnToolCredScanSeverity: Error
-      GdnBreakBaselineFiles: $(Build.SourcesDirectory)\eng\python.gdnbaselines
-      GdnBreakBaselines: baseline
-      # Used for generating baseline file.
-      # GdnBreakOutputBaselineFile: python
-      # GdnBreakOutputBaseline: baseline
-    continueOnError: true
-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
-    displayName: 'Publish Security Analysis Logs'
-    continueOnError: true
-    condition: succeededOrFailed()
-  - template: ../common/pipelines/templates/steps/verify-links.yml
-    parameters:
-      Directory: ""
-      CheckLinkGuidance: $true
-      Condition: succeededOrFailed()
+stages:
+  - stage: ValidateDependencies
+    displayName: Validate Dependencies
+
+    jobs:
+      - job: ValidateDependencies
+        timeoutInMinutes: 120
+        steps:
+
+          - template: /eng/pipelines/templates/steps/analyze_dependency.yml
+
+          - task: AzureFileCopy@2
+            displayName: 'Upload dependency report'
+            condition: and(succeededOrFailed(), eq(variables['System.TeamProject'], 'internal'))
+            inputs:
+              sourcePath: '$(Build.ArtifactStagingDirectory)/reports'
+              azureSubscription: 'Azure SDK Artifacts'
+              destination: AzureBlob
+              storage: azuresdkartifacts
+              containerName: 'azure-sdk-for-python'
+              blobPrefix: dependencies
+
+          - task: PowerShell@2
+            displayName: "Verify Repository Resource Refs"
+            inputs:
+              pwsh: true
+              workingDirectory: $(Build.SourcesDirectory)
+              filePath: eng/common/scripts/Verify-Resource-Ref.ps1
+
+          - template: ../common/pipelines/templates/steps/verify-links.yml
+            parameters:
+              Directory: ""
+              CheckLinkGuidance: $true
+              Condition: succeededOrFailed()
+
+  - stage: ComplianceTools
+    displayName: Compliance Tools
+    dependsOn: []
+
+    jobs:
+      - job: ComplianceTools
+        timeoutInMinutes: 120
+        steps:
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-credscan.CredScan@3
+            displayName: 'Run CredScan'
+            condition: succeededOrFailed()
+            inputs:
+              suppressionsFile: 'eng\CredScanSuppression.json'
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+            displayName: 'Post Analysis'
+            condition: succeededOrFailed()
+            inputs:
+              GdnBreakAllTools: false
+              GdnBreakGdnToolCredScan: true
+              GdnBreakGdnToolCredScanSeverity: Error
+              GdnBreakBaselineFiles: $(Build.SourcesDirectory)\eng\python.gdnbaselines
+              GdnBreakBaselines: baseline
+              # Used for generating baseline file.
+              # GdnBreakOutputBaselineFile: python
+              # GdnBreakOutputBaseline: baseline
+            continueOnError: true
+
+          - pwsh: |
+              azcopy copy "https://azuresdkartifacts.blob.core.windows.net/policheck/PythonPoliCheckExclusion.mdb?$(azuresdk-policheck-blob-SAS)" `
+              "$(Build.BinariesDirectory)"
+            displayName: 'Download PoliCheck Exclusion Database'
+            condition: succeededOrFailed()
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-policheck.PoliCheck@2
+            displayName: 'Run PoliCheck'
+            inputs:
+              targetType: F
+              targetArgument: '$(Build.SourcesDirectory)'
+              result: PoliCheck.sarif
+              optionsFC: 0
+              optionsXS: 1
+              optionsPE: 1|2|3|4
+              optionsRulesDBPath: "$(Build.BinariesDirectory)/PythonPoliCheckExclusion.mdb"
+              optionsUEPATH: "$(Build.SourcesDirectory)/eng/guardian-tools/policheck/PolicheckExclusions.xml"
+            condition: succeededOrFailed()
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2
+            displayName: 'Post Analysis (PoliCheck)'
+            inputs:
+              GdnBreakAllTools: false
+              GdnBreakGdnToolPoliCheck: true
+              GdnBreakGdnToolPoliCheckSeverity: Warning
+            condition: succeededOrFailed()
+            continueOnError: true
+
+          - task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@3
+            displayName: 'Publish Security Analysis Logs'
+            continueOnError: true
+            condition: succeededOrFailed()