Enable TSA tools

[ericstj]

@mmitche @ViktorHofer @MichaelSimons

Looks like source-build pipelines still aren't running these. Will try to enable.

[Copilot]

Pull Request Overview

This PR enables additional TSA-related tooling in the source-build pipelines to ensure enhanced analysis is performed during builds.

• Enabled binskim analysis
• Enabled policheck verification
• Enabled TSA tooling

[ericstj]

Let me know if we should port this over to dotnet/dotnet internally and do a build to make sure things work.

[MichaelSimons]

Let me know if we should port this over to dotnet/dotnet internally and do a build to make sure things work.

To test this, I would recommend porting these changes to the VMR and pushing your branch to dnceng and then queuing the UB pipeline.

[ericstj]

https://dev.azure.com/dnceng/internal/_build/results?buildId=2671857&view=results

Should we do the same for source-build and source-build-lite?

[MichaelSimons]

Should we do the same for source-build and source-build-lite?

It should only be necessary to do source-build-lite. I don't see the value in running across the entire matrix.

[ericstj]

It should only be necessary to do source-build-lite. I don't see the value in running across the entire matrix.

Done - https://dev.azure.com/dnceng/internal/_build/results?buildId=2672444&view=results

The first build passed most relevant stages, there was an unrelated failure in Pass2 build for one architecture, oddly others passed @ViktorHofer - https://dev.azure.com/dnceng/internal/_build/results?buildId=2671857&view=logs&j=287a7939-eab3-5c36-8f0e-00afcd687924&t=4fb25e12-6d48-5139-7a32-8d5e685a65d1&l=109

    D:\a\_work\1\s\artifacts\source-built-sdks\Microsoft.DotNet.Arcade.Sdk\tools\Build.proj(146,5): error : No projects were found to build. Either the 'Projects' property or 'ProjectToBuild' item group must be specified.
##[error]artifacts\source-built-sdks\Microsoft.DotNet.Arcade.Sdk\tools\Build.proj(146,5): error : No projects were found to build. Either the 'Projects' property or 'ProjectToBuild' item group must be specified.

Looks to me like the tools are running -- however I don't think they are doing so to the full extent.

For example - binskim is only seeing 3 files -
https://dev.azure.com/dnceng/internal/_build/results?buildId=2671857&view=logs&j=9050e078-31bf-5111-d8ec-8b6fa95caf9c&t=13fed60c-a588-5d3e-9328-82bd431be2c4&l=78
Likely due to the size-on-disk savings techniques used by UB to delete intermediates. Do we need to do this for final outputs?

I don't see Policheck running but I don't see that for runtime either. Going to see if I can find evidence of it running elsewhere.

[ViktorHofer]

Likely due to the size-on-disk savings techniques used by UB to delete intermediates

dotnet/source-build#4901 - Ideally we wouldn't need to use --clean-while-building in CI but if we must (because of CI disk space limitations) we need to come up with the list of intermediates that should be preserved.

[ViktorHofer]

##[error]artifacts\source-built-sdks\Microsoft.DotNet.Arcade.Sdk\tools\Build.proj(146,5): error : No projects were found to build. Either the 'Projects' property or 'ProjectToBuild' item group must be specified.

I think @wtgodbe fixed this recently.

[ericstj]

Policheck is running https://dev.azure.com/dnceng/internal/_build/results?buildId=2671857&view=logs&j=bc38e8b8-e027-53cb-48e7-2adbd1070eca&t=a2a8b996-32f3-5822-d162-1e94917482b8

[ericstj]

And for source-build-lite here are the relevant steps:

• tsa upload - https://dev.azure.com/dnceng/internal/_build/results?buildId=2672444&view=logs&j=609589e2-4f74-5576-cdb7-914bcaea778b&t=6a24f8d1-f382-5c2d-3041-c876afc09a44
• policheck - https://dev.azure.com/dnceng/internal/_build/results?buildId=2672444&view=logs&j=bc38e8b8-e027-53cb-48e7-2adbd1070eca&t=a2a8b996-32f3-5822-d162-1e94917482b8
• binskim -- only runs for Windows jobs