Merged PR 684501: Scan environment variables for credentials using the CredScan library(Phase I)

This is Phase I hence only a warning is logged when a credential is detected in an env var. Depending on the results obtained from the logging information the implementation is modified accordingly.

Added the CredentialScanner class to handle the functionality related to credscan
Created a unit test to test the functionality of the scanner with various test cases
Modified the SetEnvironmentVariables method to call the credscan method from CredentialScanner class.
Added allowList mechanism and a unit test to test that

Related work items: #1975564

Author: schandr78

Private/InternalSdk/Microsoft.Automata.SRM/Microsoft.Automata.SRM.dsc

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+import {Transformer} from "Sdk.Transformers";
+import * as Managed from "Sdk.Managed";
+
+// This is an empty facade for a Microsoft internal package.
+
+namespace Contents {
+    export declare const qualifier: {
+    };
+
+    @@public
+    export const all: StaticDirectory = Transformer.sealPartialDirectory(d`.`, []);
+}
+
+@@public
+export const pkg: Managed.ManagedNugetPackage =
+    Managed.Factory.createNugetPackage(
+        "Microsoft.Automata.SRM",
+        "0.0.0",
+        Contents.all,
+        [],
+        [],
+        []
+    );    

Private/InternalSdk/Microsoft.Automata.SRM/module.config.dsc

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+module({
+    name: "Microsoft.Automata.SRM"
+});

Private/InternalSdk/Microsoft.Security.CredScan.KnowledgeBase.Client/Microsoft.Security.CredScan.KnowledgeBase.Client.dsc

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+import {Transformer} from "Sdk.Transformers";
+import * as Managed from "Sdk.Managed";
+
+// This is an empty facade for a Microsoft internal package.
+
+namespace Contents {
+    export declare const qualifier: {
+    };
+
+    @@public
+    export const all: StaticDirectory = Transformer.sealPartialDirectory(d`.`, []);
+}
+
+@@public
+export const pkg: Managed.ManagedNugetPackage =
+    Managed.Factory.createNugetPackage(
+        "Microsoft.Security.CredScan.KnowledgeBase.Client",
+        "0.0.0",
+        Contents.all,
+        [],
+        [],
+        []
+    );    

Private/InternalSdk/Microsoft.Security.CredScan.KnowledgeBase.Client/module.config.dsc

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+module({
+    name: "Microsoft.Security.CredScan.KnowledgeBase.Client"
+});

Private/InternalSdk/Microsoft.Security.CredScan.KnowledgeBase.Ruleset/Microsoft.Security.CredScan.KnowledgeBase.Ruleset.dsc

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+import {Transformer} from "Sdk.Transformers";
+import * as Managed from "Sdk.Managed";
+
+// This is an empty facade for a Microsoft internal package.
+
+namespace Contents {
+    export declare const qualifier: {
+    };
+
+    @@public
+    export const all: StaticDirectory = Transformer.sealPartialDirectory(d`.`, []);
+}
+
+@@public
+export const pkg: Managed.ManagedNugetPackage =
+    Managed.Factory.createNugetPackage(
+        "Microsoft.Security.CredScan.KnowledgeBase.Ruleset",
+        "0.0.0",
+        Contents.all,
+        [],
+        [],
+        []
+    );

Private/InternalSdk/Microsoft.Security.CredScan.KnowledgeBase.Ruleset/module.config.dsc

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+module({
+    name: "Microsoft.Security.CredScan.KnowledgeBase.Ruleset"
+});

Private/InternalSdk/Microsoft.Security.CredScan.KnowledgeBase/Microsoft.Security.CredScan.KnowledgeBase.dsc

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+import {Transformer} from "Sdk.Transformers";
+import * as Managed from "Sdk.Managed";
+
+// This is an empty facade for a Microsoft internal package.
+
+namespace Contents {
+    export declare const qualifier: {
+    };
+
+    @@public
+    export const all: StaticDirectory = Transformer.sealPartialDirectory(d`.`, []);
+}
+
+@@public
+export const pkg: Managed.ManagedNugetPackage =
+    Managed.Factory.createNugetPackage(
+        "Microsoft.Security.CredScan.KnowledgeBase",
+        "0.0.0",
+        Contents.all,
+        [],
+        [],
+        []
+    );    

Private/InternalSdk/Microsoft.Security.CredScan.KnowledgeBase/module.config.dsc

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+module({
+    name: "Microsoft.Security.CredScan.KnowledgeBase"
+});

Private/InternalSdk/Microsoft.Security.RegularExpressions/Microsoft.Security.RegularExpressions.dsc

@@ -0,0 +1,26 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+import {Transformer} from "Sdk.Transformers";
+import * as Managed from "Sdk.Managed";
+
+// This is an empty facade for a Microsoft internal package.
+
+namespace Contents {
+    export declare const qualifier: {
+    };
+
+    @@public
+    export const all: StaticDirectory = Transformer.sealPartialDirectory(d`.`, []);
+}
+
+@@public
+export const pkg: Managed.ManagedNugetPackage =
+    Managed.Factory.createNugetPackage(
+        "Microsoft.Security.RegularExpressions",
+        "0.0.0",
+        Contents.all,
+        [],
+        [],
+        []
+    );

Private/InternalSdk/Microsoft.Security.RegularExpressions/module.config.dsc

@@ -0,0 +1,6 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+module({
+    name: "Microsoft.Security.RegularExpressions"
+});

Public/Src/App/Bxl/Args.cs

@@ -316,6 +316,9 @@ public bool TryParse(string[] args, PathTable pathTable, out ICommandLineConfigu
                         OptionHandlerFactory.CreateBoolOption(
                             "cpuResourceAware",
                             sign => schedulingConfiguration.CpuResourceAware = sign),
+                        OptionHandlerFactory.CreateOption(
+                            "credScanEnvironmentVariablesAllowList",
+                            opt => sandboxConfiguration.CredScanEnvironmentVariablesAllowList.AddRange(CommandLineUtilities.ParseRepeatingOption(opt, ";", v => v.Trim()))),
                         OptionHandlerFactory.CreateOption(
                             "criticalCommitUtilizationPercentage",
                             opt => schedulingConfiguration.CriticalCommitUtilizationPercentage = CommandLineUtilities.ParseInt32Option(opt, 0, 100)),
@@ -416,6 +419,9 @@ public bool TryParse(string[] args, PathTable pathTable, out ICommandLineConfigu
                         OptionHandlerFactory.CreateBoolOption(
                             "enableAsyncLogging",
                             sign => loggingConfiguration.EnableAsyncLogging = sign),
+                        OptionHandlerFactory.CreateBoolOption(
+                            "enableCredScan",
+                            sign => sandboxConfiguration.EnableCredScan = sign),
                         OptionHandlerFactory.CreateBoolOption(
                             "enableEmptyingWorkingSet",
                             sign => schedulingConfiguration.EnableEmptyingWorkingSet = sign),

Public/Src/App/Bxl/BuildXLApp.cs

@@ -2229,7 +2229,8 @@ private EngineState RunEngine(
                 trackingEventListener,
                 rememberAllChangedTrackedInputs: true,
                 commitId: s_buildInfo?.IsDeveloperBuild == false ? s_buildInfo.CommitId : null,
-                buildVersion: s_buildInfo?.IsDeveloperBuild == false ? s_buildInfo.Build : null);
+                buildVersion: s_buildInfo?.IsDeveloperBuild == false ? s_buildInfo.Build : null,
+                enableCredScan: configuration.Sandbox.EnableCredScan);
 
             if (engine == null)
             {

Public/Src/Engine/Dll/Engine.FrontEnd.cs

@@ -515,7 +515,7 @@ private GraphReuseResult ReloadPipGraphOnly(
             //   - to fully initialize the front end, we have to go through all the steps that have already been
             //     executed on the old controller; those steps are (1) InitializeHost, and (2) ParseConfig
             FrontEndController = m_frontEndControllerFactory.Create(Context.PathTable, Context.SymbolTable);
-            FrontEndController.InitializeHost(Context.ToFrontEndContext(loggingContext), m_initialCommandLineConfiguration);
+            FrontEndController.InitializeHost(Context.ToFrontEndContext(loggingContext, enableCredScan: m_enableCredScan), m_initialCommandLineConfiguration);
 
             var configurationEngine = new BasicFrontEndEngineAbstraction(Context.PathTable, Context.FileSystem, m_initialCommandLineConfiguration);
             if (!configurationEngine.TryPopulateWithDefaultMountsTable(loggingContext, Context, m_initialCommandLineConfiguration, m_initialCommandLineConfiguration.Startup.Properties))

Public/Src/Engine/Dll/Engine.cs

@@ -89,6 +89,11 @@ public sealed partial class BuildXLEngine
         /// </summary>
         public EngineContext Context;
 
+        ///<summary>
+        /// Enable cred scan
+        ///</summary>
+        private readonly bool m_enableCredScan;
+
         /// <summary>
         /// BuildXLEngine configuration
         /// </summary>
@@ -267,7 +272,8 @@ private BuildXLEngine(
             TrackingEventListener trackingEventListener,
             bool rememberAllChangedTrackedInputs,
             [CanBeNull] string commitId,
-            [CanBeNull] string buildVersion)
+            [CanBeNull] string buildVersion,
+            bool enableCredScan)
         {
             Contract.Requires(context != null);
             Contract.Requires(configuration != null);
@@ -345,7 +351,7 @@ private BuildXLEngine(
             m_commitId = commitId;
             m_buildVersion = buildVersion;
             m_buildViewModel = buildViewModel;
-
+            m_enableCredScan = enableCredScan;
             var loggingConfig = Configuration.Logging;
             if (loggingConfig.OptimizeConsoleOutputForAzureDevOps || loggingConfig.OptimizeVsoAnnotationsForAzureDevOps)
             {
@@ -368,7 +374,6 @@ private BuildXLEngine(
                 // Tell the build viewmodel to collect a builder summary which we report to azure devops.
                 m_buildViewModel.BuildSummary = new BuildSummary(filePath);
             }
-
             // Designate a temp directory under ObjectDirectory for FileUtilities to move files to during deletion attempts
             m_moveDeleteTempDirectory = Path.Combine(configuration.Layout.ObjectDirectory.ToString(context.PathTable), MoveDeleteTempDirectoryName);
         }
@@ -387,7 +392,8 @@ public static BuildXLEngine Create(
             TrackingEventListener trackingEventListener = null,
             bool rememberAllChangedTrackedInputs = false,
             string commitId = null,
-            string buildVersion = null)
+            string buildVersion = null,
+            bool enableCredScan = false)
         {
             Contract.Requires(context != null);
             Contract.Requires(buildViewModel != null);
@@ -403,7 +409,6 @@ public static BuildXLEngine Create(
             {
                 return null;
             }
-
             // Use a copy of the provided configuration. The engine mutates the configuration and invalidates old copies
             // as a safety mechanism against using out of date references. An external consumer of the engine may want
             // to use the same config for multiple engine runs. So make a copy here to avoid invalidating the config
@@ -413,10 +418,8 @@ public static BuildXLEngine Create(
             {
                 return null;
             }
-
             initialCommandLineConfiguration = mutableInitialConfig;
-
-            var frontEndContext = context.ToFrontEndContext(loggingContext);
+            var frontEndContext = context.ToFrontEndContext(loggingContext, enableCredScan: enableCredScan);
             frontEndController.InitializeHost(frontEndContext, initialCommandLineConfiguration);
 
             ConfigurationImpl configuration;
@@ -463,7 +466,8 @@ public static BuildXLEngine Create(
                 trackingEventListener,
                 rememberAllChangedTrackedInputs,
                 commitId,
-                buildVersion);
+                buildVersion,
+                enableCredScan);
         }
 
         /// <summary>
@@ -2927,7 +2931,6 @@ private ConstructScheduleResult ConstructSchedule(
                     cacheInitializationTask,
                     journalState,
                     engineState);
-
                 if (TestHooks != null)
                 {
                     TestHooks.GraphReuseResult = reuseResult;

Public/Src/Engine/Dll/EngineContext.cs

@@ -107,9 +107,9 @@ public static EngineContext CreateNew(CancellationToken cancellationToken, PathT
         /// Creates a new <see cref="FrontEndContext"/> and copies <see cref="PathTable"/>,
         /// <see cref="SymbolTable"/>, and <see cref="CancellationToken"/> over to it.
         /// </summary>
-        public FrontEndContext ToFrontEndContext(LoggingContext loggingContext)
+        public FrontEndContext ToFrontEndContext(LoggingContext loggingContext, bool enableCredScan = false)
         {
-            return new FrontEndContext(this, loggingContext, FileSystem);
+            return new FrontEndContext(this, loggingContext, FileSystem, enableCredScan);
         }
 
         /// <inheritdoc/>

Public/Src/Engine/UnitTests/Engine/DirectoryScrubberTests.cs

@@ -21,6 +21,7 @@
 using Mount=BuildXL.Utilities.Configuration.Mutable.Mount;
 using BuildXL.Processes;
 using BuildXL.Utilities.Collections;
+using BuildXL.FrontEnd.Sdk;
 
 namespace Test.BuildXL.Engine
 {
@@ -680,8 +681,7 @@ private static MountPathExpander CreateMountPathExpander(params TestMount[] moun
         private static ProcessBuilder CreatePipBuilderWithTag(TestEnv env, string tag = null)
         {
             var exe = FileArtifact.CreateSourceFile(AbsolutePath.Create(env.Context.PathTable, @"\\dummyPath\DummyFile.exe"));
-
-            var processBuilder = ProcessBuilder.Create(env.PathTable, env.PipDataBuilderPool.GetInstance());
+            var processBuilder = ProcessBuilder.Create(env.PathTable, env.PipDataBuilderPool.GetInstance(), env.FrontEndContext.CredentialScanner, env.FrontEndContext.LoggingContext);
             processBuilder.Executable = exe;
             processBuilder.AddInputFile(exe);
             if (tag != null)

Public/Src/Engine/UnitTests/EngineTestUtilities/TestEnv.cs

@@ -10,6 +10,7 @@
 using System.Runtime.CompilerServices;
 using System.Threading;
 using BuildXL.Engine;
+using BuildXL.FrontEnd.Sdk;
 using BuildXL.FrontEnd.Sdk.FileSystem;
 using BuildXL.Ipc.Common;
 using BuildXL.Pips;
@@ -91,6 +92,9 @@ public sealed class TestEnv : IDisposable
         /// <nodoc />
         public PipTable PipTable { get; private set; }
 
+        /// <nodoc />
+        public FrontEndContext FrontEndContext => FrontEndContext.CreateInstanceForTesting();
+
         /// <summary>
         /// Creates a new test environment which schedules pips with full scheduler validation, but which cannot execute pips.
         /// </summary>

Public/Src/Engine/UnitTests/Processes/Test.BuildXL.Processes.dsc

@@ -37,6 +37,13 @@ namespace Processes {
                 oldVersion: "0.0.0.0-4.1.4.0",
                 newVersion: "4.1.4.0", // Corresponds to: { id: "System.Numerics.Vectors", version: "4.5.0" },
             },
+            {
+                name: "System.Text.Json",
+                publicKeyToken: "cc7b13ffcd2ddd51",
+                culture: "neutral",
+                oldVersion: "0.0.0.0-6.0.0.0",
+                newVersion: "6.0.0.0",
+            },
         ],
         references: [
             EngineTestUtilities.dll,