From ead0466c6af0286806d60af9f96fefba64e95428 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Tue, 18 Nov 2025 16:45:50 +0900 Subject: [PATCH 01/14] Add dependency tracking to pipeline --- build/azure-pipeline.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 5ccb478..cd4e57d 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -70,6 +70,32 @@ stages: inputs: targetPath: $(Build.SourcesDirectory) artifactName: build_output + - job: sbom + displayName: Upload SBOM to DependencyTrack + steps: + - checkout: self + fetchDepth: 0 + + - script: dotnet tool install --global CycloneDX + displayName: 'Install CycloneDX .NET Tool' + + - script: dotnet CycloneDX $(solution) + displayName: 'Generate NuGet SBOM' + + # This step optional. Allows download of artifact from pipeline run view in ADO. + - publish: bom.xml + artifact: sbom + displayName: 'Publish NuGet SBOM Artifact' + + - task: upload-bom-dtrack@1 + displayName: 'Upload SBOM to Dependency-Track' + inputs: + bomFilePath: bom.xml + dtrackProjName: $(Build.Repository.Name) + dtrackProjVersion: 'main' + dtrackAPIKey: $(DT_API_KEY) + dtrackURI: $(DT_API_URL) + dtrackProjAutoCreate: true - stage: UnitTests displayName: Unit Tests From 9d337070f87ee64178f9dd0594a4a1669b4a2700 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Tue, 18 Nov 2025 16:46:28 +0900 Subject: [PATCH 02/14] Correction to spelling --- build/azure-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index cd4e57d..a1602e1 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -82,7 +82,7 @@ stages: - script: dotnet CycloneDX $(solution) displayName: 'Generate NuGet SBOM' - # This step optional. Allows download of artifact from pipeline run view in ADO. + # This is step optional. Allows download of artifact from pipeline run view in ADO. - publish: bom.xml artifact: sbom displayName: 'Publish NuGet SBOM Artifact' From eae35872176f26cf1ef0cd820b66cbffe2203fc3 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Tue, 18 Nov 2025 16:56:32 +0900 Subject: [PATCH 03/14] Don't upload on every build --- build/azure-pipeline.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index a1602e1..7ac1667 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -5,6 +5,10 @@ parameters: displayName: Cache NuGet packages type: boolean default: false + - name: uploadDependencyTrack + displayName: Upload BOMs to Dependency Track + type: boolean + default: false variables: solution: src/Umbraco.Cms.Search.sln @@ -72,6 +76,7 @@ stages: artifactName: build_output - job: sbom displayName: Upload SBOM to DependencyTrack + condition: ${{parameters.uploadDependencyTrack}})) steps: - checkout: self fetchDepth: 0 From 9868f22d7d6879840f2a60fa6b759986c3dc6270 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Tue, 18 Nov 2025 17:00:05 +0900 Subject: [PATCH 04/14] Remove parenthesis --- build/azure-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 7ac1667..25b27ac 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -76,7 +76,7 @@ stages: artifactName: build_output - job: sbom displayName: Upload SBOM to DependencyTrack - condition: ${{parameters.uploadDependencyTrack}})) + condition: ${{parameters.uploadDependencyTrack}} steps: - checkout: self fetchDepth: 0 From d5c865714e2f4b9483fd93af7048c811309e87c4 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Tue, 18 Nov 2025 17:13:34 +0900 Subject: [PATCH 05/14] move to another stage --- build/azure-pipeline.yml | 61 ++++++++++++++++++++++------------------ 1 file changed, 34 insertions(+), 27 deletions(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 25b27ac..a0dff87 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -74,33 +74,6 @@ stages: inputs: targetPath: $(Build.SourcesDirectory) artifactName: build_output - - job: sbom - displayName: Upload SBOM to DependencyTrack - condition: ${{parameters.uploadDependencyTrack}} - steps: - - checkout: self - fetchDepth: 0 - - - script: dotnet tool install --global CycloneDX - displayName: 'Install CycloneDX .NET Tool' - - - script: dotnet CycloneDX $(solution) - displayName: 'Generate NuGet SBOM' - - # This is step optional. Allows download of artifact from pipeline run view in ADO. - - publish: bom.xml - artifact: sbom - displayName: 'Publish NuGet SBOM Artifact' - - - task: upload-bom-dtrack@1 - displayName: 'Upload SBOM to Dependency-Track' - inputs: - bomFilePath: bom.xml - dtrackProjName: $(Build.Repository.Name) - dtrackProjVersion: 'main' - dtrackAPIKey: $(DT_API_KEY) - dtrackURI: $(DT_API_URL) - dtrackProjAutoCreate: true - stage: UnitTests displayName: Unit Tests @@ -260,3 +233,37 @@ stages: - pwsh: SqlLocalDB stop MSSQLLocalDB displayName: Stop SQL Server LocalDB (Windows) condition: and(succeeded(), eq(variables['Agent.OS'], 'Windows_NT')) + + - stage: Dependency_Track + displayName: Dependency Track + dependsOn: + - Build + condition: and(succeeded() ${{parameters.uploadDependencyTrack}}) + jobs: + - job: sbom + displayName: Upload SBOM to DependencyTrack + steps: + - checkout: self + fetchDepth: 0 + + - script: dotnet tool install --global CycloneDX + displayName: 'Install CycloneDX .NET Tool' + + - script: dotnet CycloneDX $(solution) + displayName: 'Generate NuGet SBOM' + + # This is step optional. Allows download of artifact from pipeline run view in ADO. + - publish: bom.xml + artifact: sbom + displayName: 'Publish NuGet SBOM Artifact' + + - task: upload-bom-dtrack@1 + displayName: 'Upload SBOM to Dependency-Track' + inputs: + bomFilePath: bom.xml + dtrackProjName: $(Build.Repository.Name) + dtrackProjVersion: 'main' + dtrackAPIKey: $(DT_API_KEY) + dtrackURI: $(DT_API_URL) + dtrackProjAutoCreate: true + From 5cb86ea673fa20767ca6c3772aebd9611fde9db1 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Tue, 18 Nov 2025 17:17:27 +0900 Subject: [PATCH 06/14] add missing comma --- build/azure-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index a0dff87..7505430 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -238,7 +238,7 @@ stages: displayName: Dependency Track dependsOn: - Build - condition: and(succeeded() ${{parameters.uploadDependencyTrack}}) + condition: and(succeeded(), ${{parameters.uploadDependencyTrack}}) jobs: - job: sbom displayName: Upload SBOM to DependencyTrack From 219f0ecf286e1b7b9cecd759e6623362f8d59b86 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 19 Nov 2025 15:36:34 +0900 Subject: [PATCH 07/14] Dont make optional, upload every time we make a PR --- build/azure-pipeline.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 7505430..447bc34 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -5,10 +5,6 @@ parameters: displayName: Cache NuGet packages type: boolean default: false - - name: uploadDependencyTrack - displayName: Upload BOMs to Dependency Track - type: boolean - default: false variables: solution: src/Umbraco.Cms.Search.sln @@ -238,7 +234,7 @@ stages: displayName: Dependency Track dependsOn: - Build - condition: and(succeeded(), ${{parameters.uploadDependencyTrack}}) + condition: and(succeeded()) jobs: - job: sbom displayName: Upload SBOM to DependencyTrack From bbb2e12da38b9fe9faf3d738d2b9aa378c1efe05 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 13:17:37 +0900 Subject: [PATCH 08/14] Update to post correct version number, and only when running from main --- build/azure-pipeline.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 447bc34..8fdb934 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -234,7 +234,8 @@ stages: displayName: Dependency Track dependsOn: - Build - condition: and(succeeded()) + # Only upload the SBOM when it's from the main branch, as we don't need to for every PR. + condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main')) jobs: - job: sbom displayName: Upload SBOM to DependencyTrack @@ -242,6 +243,14 @@ stages: - checkout: self fetchDepth: 0 + - task: PowerShell@2 + displayName: 'Read Version from version.json' + inputs: + targetType: 'inline' + script: | + $versionJson = Get-Content -Path "version.json" -Raw | ConvertFrom-Json + Write-Host "##vso[task.setvariable variable=VersionNumber]$versionJson.version" + - script: dotnet tool install --global CycloneDX displayName: 'Install CycloneDX .NET Tool' @@ -258,7 +267,7 @@ stages: inputs: bomFilePath: bom.xml dtrackProjName: $(Build.Repository.Name) - dtrackProjVersion: 'main' + dtrackProjVersion: $(VersionNumber) dtrackAPIKey: $(DT_API_KEY) dtrackURI: $(DT_API_URL) dtrackProjAutoCreate: true From 3d56670deb918f139db133b0faec6e3ad1bf3537 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 13:22:36 +0900 Subject: [PATCH 09/14] Test without condition --- build/azure-pipeline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 8fdb934..5e10716 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -235,7 +235,7 @@ stages: dependsOn: - Build # Only upload the SBOM when it's from the main branch, as we don't need to for every PR. - condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main')) + condition: and(succeeded()) jobs: - job: sbom displayName: Upload SBOM to DependencyTrack From ded8f2eb4aee0ae0474fdd2b3916ac30e2057b28 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 13:28:55 +0900 Subject: [PATCH 10/14] Try removing comment --- build/azure-pipeline.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 5e10716..52b8775 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -234,7 +234,6 @@ stages: displayName: Dependency Track dependsOn: - Build - # Only upload the SBOM when it's from the main branch, as we don't need to for every PR. condition: and(succeeded()) jobs: - job: sbom From 3657058c98d1aa392c52e02cdd066bc2902860f3 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 13:30:18 +0900 Subject: [PATCH 11/14] remove condition for now --- build/azure-pipeline.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 52b8775..79a88b0 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -234,7 +234,6 @@ stages: displayName: Dependency Track dependsOn: - Build - condition: and(succeeded()) jobs: - job: sbom displayName: Upload SBOM to DependencyTrack From 8872887ab80f2c6a020e3863168217bb36f7ae8d Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 13:36:22 +0900 Subject: [PATCH 12/14] Fix powershell --- build/azure-pipeline.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 79a88b0..cd49035 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -234,6 +234,7 @@ stages: displayName: Dependency Track dependsOn: - Build + - IntegrationTests jobs: - job: sbom displayName: Upload SBOM to DependencyTrack @@ -247,7 +248,9 @@ stages: targetType: 'inline' script: | $versionJson = Get-Content -Path "version.json" -Raw | ConvertFrom-Json - Write-Host "##vso[task.setvariable variable=VersionNumber]$versionJson.version" + $version = $versionJson.version + Write-Host "Version from version.json: $version" + Write-Host "##vso[task.setvariable variable=AppVersion]$version" - script: dotnet tool install --global CycloneDX displayName: 'Install CycloneDX .NET Tool' @@ -265,7 +268,7 @@ stages: inputs: bomFilePath: bom.xml dtrackProjName: $(Build.Repository.Name) - dtrackProjVersion: $(VersionNumber) + dtrackProjVersion: $(AppVersion) dtrackAPIKey: $(DT_API_KEY) dtrackURI: $(DT_API_URL) dtrackProjAutoCreate: true From 12ebf1379f78a8f47062c7c4a67aa99f243e4adf Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 14:01:57 +0900 Subject: [PATCH 13/14] Rename variable --- build/azure-pipeline.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index cd49035..0774d16 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -250,7 +250,7 @@ stages: $versionJson = Get-Content -Path "version.json" -Raw | ConvertFrom-Json $version = $versionJson.version Write-Host "Version from version.json: $version" - Write-Host "##vso[task.setvariable variable=AppVersion]$version" + Write-Host "##vso[task.setvariable variable=VersionNumber]$version" - script: dotnet tool install --global CycloneDX displayName: 'Install CycloneDX .NET Tool' @@ -268,7 +268,7 @@ stages: inputs: bomFilePath: bom.xml dtrackProjName: $(Build.Repository.Name) - dtrackProjVersion: $(AppVersion) + dtrackProjVersion: $(VersionNumber) dtrackAPIKey: $(DT_API_KEY) dtrackURI: $(DT_API_URL) dtrackProjAutoCreate: true From a9958a2a2e6971d98e098c6a1e45020b39c61749 Mon Sep 17 00:00:00 2001 From: Zeegaan Date: Wed, 26 Nov 2025 14:02:53 +0900 Subject: [PATCH 14/14] Reimplement condition to only upload on main --- build/azure-pipeline.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build/azure-pipeline.yml b/build/azure-pipeline.yml index 0774d16..27456bc 100644 --- a/build/azure-pipeline.yml +++ b/build/azure-pipeline.yml @@ -235,6 +235,8 @@ stages: dependsOn: - Build - IntegrationTests + # Only upload the SBOM when it's from the main branch, as we don't need to for every PR. + condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main')) jobs: - job: sbom displayName: Upload SBOM to DependencyTrack