release: binskim for Windows

.azure-pipelines/release.yml

@@ -179,6 +179,33 @@ extends:
                 sdk_repo: ${{ dim.sdk_repo }}
                 cpu_arch: ${{ dim.cpu_arch }}
               templateContext:
+                sdl:
+                  suppression:
+                    suppressionFile: $(Build.SourcesDirectory)/.azure-pipelines/sdl/${{ dim.id }}/gdnsuppress
+                  binskim:
+                    # Direct binskim to analyze the built product binaries rather
+                    # than the installer/7z outputs. Binskim cannot crack open the
+                    # installer or 7z archive to find the binaries inside, and
+                    # these outputs are generated by external tools (not possible
+                    # to resolve any warnings about them).
+                    #
+                    # The 'Extract mingw-w64-git packages for binary analysis'
+                    # step below stages only the first-party pacman packages
+                    # produced by `please.sh build-mingw-w64-git`
+                    # (mingw-w64-<toolchain>-{git,git-credential-wincred,
+                    # git-pdb}-*.pkg.tar.xz) into _bin/<mingwprefix>/. By
+                    # construction, that tree contains only binaries built
+                    # from this repo's Makefile (git.exe, the dashed
+                    # subcommands, scalar.exe, headless-git.exe,
+                    # git-gvfs-helper.exe, git-credential-wincred.exe, ...)
+                    # plus their cv2pdb-generated .pdbs, so a broad **/*.{exe,
+                    # dll} glob is safe. This excludes the third-party
+                    # payload carried by the full Git for Windows installer:
+                    # MSYS2/MinGW runtime, Perl, Tcl/Tk, libcurl/libssl/libssh2,
+                    # Git Credential Manager, Git LFS, tig, and the
+                    # build-extra git-wrapper launcher shims.
+                    enabled: true
+                    analyzeTargetGlob: '$(Build.ArtifactStagingDirectory)/_bin/${{ dim.mingwprefix }}/**/*.exe;$(Build.ArtifactStagingDirectory)/_bin/${{ dim.mingwprefix }}/**/*.dll'
                 outputs:
                   - output: pipelineArtifact
                     targetPath: '$(Build.ArtifactStagingDirectory)/_final'
@@ -529,6 +556,96 @@ extends:
                         artifacts/PortableGit-*.exe \
                         artifacts/sha-256.txt \
                         "$(Build.ArtifactStagingDirectory)/_final/"
+                - task: Bash@3
+                  displayName: 'Extract mingw-w64-git packages for binary analysis'
+                  inputs:
+                    targetType: inline
+                    script: |
+                      set -euo pipefail
+
+                      # Stage only the first-party pacman packages produced by
+                      # `please.sh build-mingw-w64-git` for BinSkim, rather
+                      # than the full portable Git installer. This narrows
+                      # the analysis target to binaries this repo's Makefile
+                      # actually builds, and avoids dragging in the third
+                      # party payload (MSYS2/MinGW runtime, Perl, Tcl/Tk,
+                      # GCM, Git LFS, build-extra launcher shims, ...) that
+                      # the installer otherwise bundles.
+                      #
+                      # The three packages extracted are:
+                      #   mingw-w64-<toolchain>-git-<version>-1-any.pkg.tar.xz
+                      #     The main git package: git.exe, the dashed
+                      #     subcommands, scalar.exe, headless-git.exe,
+                      #     git-gvfs-helper.exe, and all other PROGRAMS /
+                      #     EXTRA_PROGRAMS the Makefile installs.
+                      #   mingw-w64-<toolchain>-git-credential-wincred-<version>-1-any.pkg.tar.xz
+                      #     contrib/credential/wincred/git-credential-wincred.exe
+                      #   mingw-w64-<toolchain>-git-pdb-<version>-1-any.pkg.tar.xz
+                      #     cv2pdb-generated .pdb files for the above. These
+                      #     are required for several BinSkim checks
+                      #     (otherwise we get ERR997.ExceptionLoadingPdb on
+                      #     every binary).
+                      #
+                      # The other artifacts from the build (git-archimport,
+                      # git-cvs, git-doc-*, git-for-windows-addons, git-gui,
+                      # git-p4, git-perl, git-send-email, git-subtree,
+                      # git-svn, gitk, gitweb) contain only docs or
+                      # interpreted scripts (Perl/Tcl/Python/sh) and ship
+                      # no native PE binaries built from this repo, so they
+                      # are not staged.
+                      bin="$(Build.ArtifactStagingDirectory)/_bin"
+                      # $(Build.ArtifactStagingDirectory) substitutes a
+                      # Windows-style path with backslashes (e.g.
+                      # D:\a\_work\1\a), producing the mixed-separator
+                      # value D:\a\_work\1\a/_bin. When MSYS2 bash later
+                      # exec()s native Windows utilities like tar.exe,
+                      # its argv path-conversion layer treats such
+                      # arguments as printf-style format strings and
+                      # mangles \a / \1 / etc. into BEL / SOH (0x01),
+                      # so tar's `-C "$bin"` fails with "Cannot open: No
+                      # such file or directory". Normalise to forward
+                      # slashes up front so the path is unambiguous to
+                      # both bash and the MSYS2 runtime.
+                      bin="${bin//\\//}"
+                      mkdir -p "$bin"
+
+                      shopt -s nullglob
+                      pkgs=(
+                        artifacts/mingw-w64-*-git-[0-9]*-1-any.pkg.tar.xz
+                        artifacts/mingw-w64-*-git-credential-wincred-[0-9]*-1-any.pkg.tar.xz
+                        artifacts/mingw-w64-*-git-pdb-[0-9]*-1-any.pkg.tar.xz
+                      )
+                      if test "${#pkgs[@]}" -ne 3
+                      then
+                        echo "##vso[task.logissue type=error]Expected 3 first-party mingw-w64-git packages in artifacts/, found ${#pkgs[@]}" >&2
+                        ls -la artifacts/ >&2
+                        exit 1
+                      fi
+
+                      for pkg in "${pkgs[@]}"; do
+                        name=$(basename "$pkg")
+                        echo "##[group]Extracting $name"
+                        # List the package's PE binaries (and .pdbs)
+                        # before extracting, so the log stays focused on
+                        # what BinSkim will see. `|| true` covers the
+                        # "no match" exit from grep without masking tar
+                        # failures (the following `tar -xf` runs
+                        # independently and will fail loudly under set
+                        # -e if the archive is corrupt).
+                        tar -tf "$pkg" \
+                          | grep -iE '\.(exe|dll|pdb)$' || true
+                        tar -xf "$pkg" -C "$bin"
+                        echo "##[endgroup]"
+                      done
+
+                      # Drop pacman's package-level metadata files; they
+                      # are not binaries and only clutter the staged tree.
+                      rm -f "$bin"/.PKGINFO "$bin"/.MTREE \
+                            "$bin"/.BUILDINFO "$bin"/.INSTALL
+
+                      echo "##[group]All extracted PE binaries (.dll, .exe)"
+                      find "$bin" -type f \( -iname '*.exe' -o -iname '*.dll' \) | sort
+                      echo "##[endgroup]"
                 # Validate the freshly built installer in-place: silently
                 # install Git-*.exe and assert that `git --version` reports
                 # the version we resolved at the prereqs stage. Folded into