Code Scanning

Resources

• Code Scan Pipeline: https://dev.azure.com/eFileCabinet/Utopia/_apps/hub/ms.vss-ciworkflow.build-ci-hub?_a=edit-build-definition&id=132&view=Tab_Tasks
• Migrating from packages.config: https://learn.microsoft.com/en-us/nuget/consume-packages/migrate-packages-config-to-package-reference#migration-steps

Background

We wanted to do a code scan of the Revver Desktop App, but after some research and some trial and error, we found that this was going to be more difficult than anticipated.

In order to be able to used ADO advanced security to code scan, we needed to build the app in and ADO pipeline. There are two issues with this. 1) you can't build a .vsproj project (Visual Studio Installer Project) in ADO pipelines (well, we probably could if we we had our own build machines), and 2) our projects store nuget packages in a packages.config file and the ADO pipelines have issues restoring nuget packages when they are configured this way.

We attempted migrating from the packages.config to package references, and this was successful, however, it broke the installer project. We did spend several hours trying to see if we could reconfigure things in the installer project so that when you built the installer, things would work, but did not want to spend more effort trying to get this to work, so eventually gave up on this.

In the end, a pipeline was created (referenced at the top of this page), but it cannot currently be used with the master branch. In order to do a code scan you need to branch off of master, migrate the packages.config to package references, and run the pipeline on that branch. Keep in mind this will not scan the installers, just the build projects.

Doing a code scan

1. Create a branch of master (or the branch you want to create a new update installer off of)
2. Migrate from packages.config to package references
   • you can use the reference at the top of this page for instructions on how to do this (but long story short, you right click the packages.config file and select Migrate packages.config to PackageReference...)
3. Commit the changes to your branch and push it to ADO
4. Run the 'Revver Windows Desktop App Code Scan' build pipeline on your branch
   

How can we automate this in the future?

I think the best way to do this would be to build the installer using wixsharp, rather than a visual studio installer project.