AzureDevOpsPipeline.psm1
|
# Module Constants #Set-Variable XYZ -option Constant -value (@{XYZ = 'abc'}) Function Get-TrivyCommand { <# .SYNOPSIS Get a Command to run trivy .EXAMPLE & (Get-TrivyCommand) fs . #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Process { if(-not (Test-Trivy)) { throw "Install-Trivy must be called prior to this function." } # Retrieve trivy command $trivy = Get-Command "$($env:TrivyPath)" -ErrorAction SilentlyContinue if(-not ($trivy -is [System.Management.Automation.ApplicationInfo])) { throw "Unable to Get Command `$($env:TrivyPath)`." } $trivy | Write-Output } } Function Out-Task { <# .SYNOPSIS Write to the pipeline's task output .EXAMPLE "Hello World" | Out-Task .EXAMPLE "Hello World" | Out-Task -Prefix '##[command]' .EXAMPLE "Hello World" | Out-Task -Prefix '##vso[task.logissue type=error]' .EXAMPLE "Hello World" | Out-Task -VsoCommand 'task.logissue' -VsoProperties @{type='error'} #> [CmdletBinding(DefaultParameterSetName = 'prefix')] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [Object] $Message, [Parameter(Mandatory = $false, ParameterSetName = 'prefix')] [AllowEmptyString()] [AllowNull()] [String] $Prefix = '', [Parameter(Mandatory = $true, ParameterSetName = 'vso')] [String] $VsoCommand, [Parameter(Mandatory = $false, ParameterSetName = 'vso')] [hashtable] $VsoProperties ) Process { if($PSCmdlet.ParameterSetName -eq 'vso') { $VsoPropertiesArray = $VsoProperties.GetEnumerator() | ForEach-Object { "$($_.Key)=$($_.Value)" } $VsoPropertiesString = $VsoPropertiesArray -join ';' $Prefix = "##vso[$VsoCommand $VsoPropertiesString;]" } $Message | Out-String -Stream | ForEach-Object { [System.Text.Encoding]::UTF8.GetString([System.Text.Encoding]::UTF8.GetBytes("$($Prefix)$($_)")) | Write-Host } } } Function Test-IsAdministrator { <# .SYNOPSIS Test if current user has Administrator privileges .EXAMPLE if(-not (Test-IsAdministrator)) { throw 'Not an admin.' } #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Process { return (New-Object Security.Principal.WindowsPrincipal -ArgumentList ([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole( [Security.Principal.WindowsBuiltInRole]::Administrator ) } } Function Get-TrivyOutputDirectory { <# .SYNOPSIS Get the OutputDirectory used by Trivy .EXAMPLE # Get the directory where reports are saved Get-TrivyOutputDirectory | Out-TaskLog -Format 'Debug' .EXAMPLE # Get the staging directory where other files are saved (this is Azure DevOps' BUILD_ARTIFACTSTAGINGDIRECTORY directory) Get-TrivyOutputDirectory -Staging | Out-TaskLog -Format 'Debug' #> [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter(Mandatory = $false)] [Switch] $Staging ) Process { if(Test-Trivy) { if($Staging) { return $env:BUILD_ARTIFACTSTAGINGDIRECTORY } return $env:TrivyOutPath } } } Function Install-Trivy { <# .SYNOPSIS Download and Install trivy on the CI/CD host .EXAMPLE Install-Trivy #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Begin { if (-Not (Test-IsAdministrator)) { "Insufficient privileges" | Write-TaskError Set-TaskResult -Result 'Failed' Exit 1 } "Initializing" | Out-TaskLog -Format 'BeginGroup' $TrivyReleaseInfoUri = 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' $TrivyReleaseInfoContentType = 'application/vnd.github.v3+json' if ($IsWindows) { $Trivy = [pscustomobject]@{ path = 'C:\Program Files\trivy' bin = 'trivy.exe' data = Join-Path $env:LocalAppData 'trivy' outdir = Join-Path $env:LocalAppData 'trivy-out' releaseInfoUri = $TrivyReleaseInfoUri releaseContentType = $TrivyReleaseInfoContentType archiveExpression = '^trivy_([\d\.]+)_Windows-64bit.zip$' downloadUri = $null releaseInfo = $null version = $null } } else { $Trivy = [pscustomobject]@{ path = '/usr/local/bin/trivy' bin = 'trivy' data = '/usr/local/bin/trivy/db' outdir = '/tmp/trivy-out' releaseInfoUri = $TrivyReleaseInfoUri releaseContentType = $TrivyReleaseInfoContentType archiveExpression = '^trivy_([\d\.]+)_Linux-64bit.tar.gz$' downloadUri = $null releaseInfo = $null version = $null } } # Get the Release Information, and Download URI $Trivy.releaseInfo = Invoke-RestMethod -Uri $Trivy.releaseInfoUri -Headers @{Accept = $Trivy.releaseContentType } | Select-Object -ExpandProperty assets | Where-Object { $_.name -match $Trivy.archiveExpression } $Trivy.downloadUri = $Trivy.releaseInfo | Select-Object -ExpandProperty browser_download_url # Capture Trivy's version number from ReleaseInfo $Trivy.releaseInfo.name -match $Trivy.archiveExpression | Out-Null $Trivy.version = $matches[1] # Create Directories if (-Not (Test-Path $Trivy.path)) { New-Item -ItemType Directory -Path $Trivy.path | Out-Null } if (-Not (Test-Path $Trivy.outdir)) { New-Item -ItemType Directory -Path $Trivy.outdir | Out-Null } # Print all elements in $Trivy $Trivy.PSObject.Properties | ForEach-Object { "$($_.Name) = $($_.Value)" | Out-TaskLog -Format 'Debug' } "Done" | Out-TaskLog -Format 'EndGroup' } Process { try { "Installing trivy" | Out-TaskLog -Format 'BeginGroup' # Download Trivy "Downloading $($Trivy.releaseInfo.name)" | Out-TaskLog if (-Not $Trivy.downloadUri) { throw 'Unable to retrieve download URI for trivy.' } Invoke-WebRequest -Uri $Trivy.downloadUri -OutFile $Trivy.releaseInfo.name # Inflate downloaded archive, and add to PATH "Installing $($Trivy.releaseInfo.name) to $($Trivy.path)" | Out-TaskLog if ($IsWindows) { "Expand-Archive -LiteralPath $Trivy.releaseInfo.name -DestinationPath $Trivy.path -Force" | Out-TaskLog -Format 'Command' Expand-Archive -LiteralPath $Trivy.releaseInfo.name -DestinationPath $Trivy.path -Force | Out-TaskLog #$Path = [System.Environment]::GetEnvironmentVariable("Path", [System.EnvironmentVariableTarget]::Machine) -split ';' #$Path += , ($Trivy.Path) #[System.Environment]::SetEnvironmentVariable("Path", ($Path | Select-Object -Unique) -join ';', [System.EnvironmentVariableTarget]::Machine) } else { "tar -zxvf $Trivy.releaseInfo.name -C $Trivy.path" | Out-TaskLog -Format 'Command' tar -zxvf $Trivy.releaseInfo.name -C $Trivy.path | Out-TaskLog "chmod u+x (Join-Path $Trivy.Path $Trivy.bin)" | Out-TaskLog -Format 'Command' chmod u+x (Join-Path $Trivy.Path $Trivy.bin) | Out-TaskLog #"export PATH=`$PATH:""$($Trivy.path)""" | Out-File -Append -Encoding utf8 ~/.bashrc #bash -c ". ~/.bashrc" } # Adding trivy to the PATH New-TaskPathVariable -Path $Trivy.Path "$($Trivy.Path) added to the PATH" | Out-TaskLog -Format 'Debug' # Delete downloaded archive "Removing $($Trivy.releaseInfo.name)" | Out-TaskLog Remove-Item -Path $Trivy.releaseInfo.name -ErrorAction SilentlyContinue | Out-Null # Set variables into the pipeline "Updating environment..." | Out-TaskLog $trivyPath = $(Join-Path $Trivy.Path $Trivy.bin) New-TaskPathVariable -Path $Trivy.Path "$($Trivy.Path) added to the PATH" | Out-TaskLog -Format 'Debug' New-TaskVariable -Name 'TrivyPath' -Value ($trivyPath) "`$(TrivyPath) = $($trivyPath)" | Out-TaskLog -Format 'Debug' New-TaskVariable -Name 'TrivyDbPath' -Value ($Trivy.data) "`$(TrivyDbPath) = $($Trivy.data)" | Out-TaskLog -Format 'Debug' New-TaskVariable -Name 'TrivyVersion' -Value ($Trivy.version) "`$(TrivyVersion) = $($Trivy.version)" | Out-TaskLog -Format 'Debug' New-TaskVariable -Name 'TrivyOutPath' -Value ($Trivy.outdir) "`$(TrivyOutPath) = $($Trivy.outdir)" | Out-TaskLog -Format 'Debug' "Done" | Out-TaskLog -Format 'EndGroup' # Download Trivy Database "Downloading DB for trivy $($Trivy.version)" | Out-TaskLog -Format 'BeginGroup' $trivy = Get-Command $trivyPath -ErrorAction SilentlyContinue if (-not ($trivy -is [System.Management.Automation.ApplicationInfo])) { throw "Unable to get Command $trivyPath." } "trivy image --download-db-only --cache-dir ""$($Trivy.data)""" | Out-TaskLog -Format 'Command' & ($trivy) image --download-db-only --cache-dir "$($Trivy.data)" 2>&1 | Where-Object { $_ -is [System.Management.Automation.ErrorRecord] } | Out-TaskLog if ($LASTEXITCODE -ne 0) { throw "Failed to download trivy DB. Exit Code: $LASTEXITCODE" } "Done" | Out-TaskLog -Format 'EndGroup' } catch { $_ | Write-TaskError Set-TaskResult -Result 'Failed' Exit 1 } } } Function Invoke-Trivy { <# .SYNOPSIS Download and Install trivy on the CI/CD host .PARAMETER InputDirectory The input directory to scan .PARAMETER Name A nickname for the reports (useful if you generate multiple reports) .EXAMPLE Invoke-Trivy -InputDirectory . #> [CmdletBinding()] [OutputType([PSCustomObject])] param( [Parameter(Mandatory = $false)] [ValidateScript({Test-Path $_ -PathType Container})] $InputDirectory = '.', [Parameter(Mandatory = $false)] $Name = 'report' ) Process { try { # Retrieve the trivy Command $trivy = Get-TrivyCommand # Run trivy on the target directory, capturing all dependencies, store JSON result in the BUILD_ARTIFACTSTAGINGDIRECTORY $DependenciesPath = Join-Path $env:BUILD_ARTIFACTSTAGINGDIRECTORY "dependency-$($Name).json" $SecurityReportPath = Join-Path $env:TrivyOutPath "sast-$($Name).sarif" # Trivy outputs to STDERR (it uses STDOUT to return the actual report); we need to redirect and capture STDERR; and to test the EXITCODE to know if trivy it succeeded or not "Running SAST scan using trivy $($env:TrivyVersion)" | Out-TaskLog -Format 'BeginGroup' "trivy fs $($InputDirectory) --skip-db-update --cache-dir ""$($env:TrivyDbPath)"" --list-all-pkgs --format json --output ""$($DependenciesPath)""" | Out-TaskLog -Format 'Command' & ($trivy) fs "$($InputDirectory)" --skip-db-update --cache-dir "$($env:TrivyDbPath)" --list-all-pkgs --format json --output "$($DependenciesPath)" 2>&1 | Where-Object { $_ -is [System.Management.Automation.ErrorRecord] } | Out-String | Out-TaskLog if($LASTEXITCODE -ne 0) { throw "Trivy reported an error. Exit Code: $LASTEXITCODE" } "Generating SAST scan report" | Out-TaskLog "trivy convert --format sarif --output ""$($SecurityReportPath)"" ""$($DependenciesPath)""" | Out-TaskLog -Format 'Command' & ($trivy) convert --format sarif --output "$($SecurityReportPath)" "$($DependenciesPath)" 2>&1 | Where-Object { $_ -is [System.Management.Automation.ErrorRecord] } | Out-String | Out-TaskLog if($LASTEXITCODE -ne 0) { throw "Trivy reported an error. Exit Code: $LASTEXITCODE" } "Done" | Out-TaskLog -Format 'EndGroup' } catch { $_ | Write-TaskError Set-TaskResult -Result 'Failed' Exit 1 } } } Function New-TaskLogUpload { <# .SYNOPSIS Upload a file to the Task Log .EXAMPLE "C:\my\directory\file.txt" | New-TaskLogUpload #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [ValidateScript({Test-Path $_ -PathType 'Leaf'})] [string] $Path ) Begin { } Process { $Path | Out-Task -VsoCommand 'task.uploadfile' } } Function New-TaskPathVariable { <# .SYNOPSIS Add an entry to the environment's path (prepend) .EXAMPLE "C:\my\directory\path" | New-TaskPathVariable #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Path ) Begin { } Process { $Path | Out-Task -VsoCommand 'task.prependpath' } } Function New-TaskSecret { <# .SYNOPSIS Create an environment variable in the pipeline .EXAMPLE "Hello World" | New-TaskVariable -Name 'MESSAGE' #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Secret ) Begin { } Process { $Secret | Out-Task -VsoCommand 'task.setsecret' } } Function New-TaskVariable { <# .SYNOPSIS Create an environment variable in the pipeline .EXAMPLE "Hello World" | New-TaskVariable -Name 'MESSAGE' #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Value, [Parameter(Mandatory = $true)] [string] $Name, [Parameter(Mandatory = $false)] [switch] $IsSecret, [Parameter(Mandatory = $false)] [string] $IsOutput, [Parameter(Mandatory = $false)] [string] $IsReadOnly ) Begin { } Process { $Properties = @{ variable = $Name } if($IsSecret) { $Properties += @{isSecret='true'} } if($IsOutput) { $Properties += @{isOutput='true'} } if($IsReadOnly) { $Properties += @{isReadOnly='true'} } $Value | Out-Task -VsoCommand 'task.setvariable' -VsoProperties $Properties } } Function Out-TaskLog { <# .SYNOPSIS Write to the pipeline's task output .EXAMPLE "Hello World" | Out-TaskLog -Format 'None' #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Message, [Parameter(Mandatory = $false)] [ValidateSet('None', 'BeginGroup', 'Warning', 'Error', 'Section', 'Debug', 'Command', 'EndGroup')] [string] $Format = 'None' ) Begin { } Process { $Prefix = switch($Format.ToLower()) { 'begingroup' { '##[group]' } 'warning' { '##[warning]' } 'error' { '##[error]' } 'section' { '##[section]' } 'debug' { '##[debug]' } 'command' { '##[command]' } 'endgroup' { '##[endgroup]' } default { $null } } $Message | Out-Task -Prefix $Prefix } } Function Set-TaskLogProgress { <# .SYNOPSIS Set progress and current operation for the current task. .EXAMPLE 'Downloading' | Set-TaskLogProgress -PercentComplete 50 #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Message, [Parameter(Mandatory = $true)] [ValidateRange(0, 100)] [int] $PercentComplete ) Begin { } Process { $Message | Out-Task -VsoCommand 'task.setprogress' -VsoProperties @{ value = $PercentComplete.ToString() } } } Function Set-TaskResult { <# .SYNOPSIS Finish the timeline record for the current task, set task result and current operation. .EXAMPLE 'DONE' | Set-TaskResult -Result 'Succeeded' #> [CmdletBinding()] param( [Parameter(Mandatory = $false, ValueFromPipeline = $true)] [string] $Message = 'Done', [Parameter(Mandatory = $false)] [ValidateSet('Succeeded', 'SucceededWithIssues', 'Failed')] [string] $Result = 'Succeeded' ) Begin { } Process { $Properties = @{ 'result' = $Result } $Message | Out-Task -VsoCommand 'task.complete' -VsoProperties $Properties } } Function Test-Trivy { <# .SYNOPSIS Test installation of trivy .EXAMPLE if(-not (Test-Trivy)) { throw "Please call Install-Trivy" } #> [CmdletBinding()] [OutputType([PSCustomObject])] param() Process { try { if(-not (Test-Path env:SYSTEM_ISAZUREVM)) { throw "Environment variable SYSTEM_ISAZUREVM is missing. This function is designed to be called from within a Azure DevOps pipeline Did you call Install-Trivy?" } if(-not (Test-Path env:BUILD_ARTIFACTSTAGINGDIRECTORY)) { throw "Environment variable BUILD_ARTIFACTSTAGINGDIRECTORY is missing. This function is designed to be called from within a Azure DevOps pipeline Did you call Install-Trivy?" } if(-not (Test-Path env:TrivyPath)) { throw "Environment variable TrivyPath is missing. Did you call Install-Trivy?" } if(-not (Test-Path env:TrivyDbPath)) { throw "Environment variable TrivyDbPath is missing. Did you call Install-Trivy?" } if(-not (Test-Path env:TrivyOutPath)) { throw "Environment variable TrivyOutPath is missing. Did you call Install-Trivy?" } return $true } catch { $_ | Write-TaskWarning } return $false } } Function Write-TaskError { <# .SYNOPSIS Write an error to the pipeline's task output .EXAMPLE "Hello World" | Write-TaskError .EXAMPLE "Hello World" | Write-TaskError -SourcePath 'C:\path\to\file.txt' -SourceLine 1 -SourceColumn 1 -Code 'E0001' #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Message, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $SourcePath, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $SourceLine, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $SourceColumn, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $Code ) Begin { } Process { $Properties = @{ type = 'error' } if($SourcePath) { $Properties += @{sourcepath=$SourcePath} } if($SourceLine) { $Properties += @{linenumber=$SourceLine} } if($SourceColumn) { $Properties += @{columnnumber=$SourceColumn} } if($Code) { $Properties += @{code=$Code} } $Message | Out-String -Stream | ForEach-Object { $_ | Out-Task -VsoCommand 'task.logissue' -VsoProperties $Properties } } } Function Write-TaskWarning { <# .SYNOPSIS Write a warning to the pipeline's task output .EXAMPLE "Hello World" | Write-TaskWarning .EXAMPLE "Hello World" | Write-TaskWarning -SourcePath 'C:\path\to\file.txt' -SourceLine 1 -SourceColumn 1 -Code 'E0001' #> [CmdletBinding()] param( [Parameter(Mandatory = $true, ValueFromPipeline = $true)] [string] $Message, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $SourcePath, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $SourceLine, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $SourceColumn, [Parameter(Mandatory = $false)] [AllowNull()] [AllowEmptyString()] [string] $Code ) Begin { } Process { $Properties = @{ type = 'warning' } if($SourcePath) { $Properties += @{sourcepath=$SourcePath} } if($SourceLine) { $Properties += @{linenumber=$SourceLine} } if($SourceColumn) { $Properties += @{columnnumber=$SourceColumn} } if($Code) { $Properties += @{code=$Code} } $Message | Out-String -Stream | ForEach-Object { $_ | Out-Task -VsoCommand 'task.logissue' -VsoProperties $Properties } } } |