Skip to content

[build] Fix BinSkim failure in 'Convert NuGet to MSI' job#10961

Merged
jonathanpeppers merged 1 commit intodotnet:mainfrom
jonathanpeppers:dev/peppers/binskim-msi-fix
Mar 18, 2026
Merged

[build] Fix BinSkim failure in 'Convert NuGet to MSI' job#10961
jonathanpeppers merged 1 commit intodotnet:mainfrom
jonathanpeppers:dev/peppers/binskim-msi-fix

Conversation

@jonathanpeppers
Copy link
Member

@jonathanpeppers jonathanpeppers commented Mar 17, 2026
edited
Loading

Context: https://devdiv.visualstudio.com/DevDiv/_build/results?buildId=13575957&view=logs&j=5b07041f-3ad2-50e1-dcc0-0b413b70a215&t=033d44a8-e06e-5493-047f-4acab20a6c86

The "Convert NuGet to MSI" job fails with:

##[warning]Could not parse glob pattern D:\a\_work\1\s\bin\Build*\** for argument Target. The value will be passed to the tool without resolution.
BINSKIM : error ERR997.NoValidAnalysisTargets : No valid analysis targets were specified.
##[error]GuardianErrorExitCodeException: binskim completed with an Error exit code: 1. BinSkim failed. Verify the target(s) to be scanned.

This happens because the 1ES template applies sdl.binskim config globally to all jobs with no per-job override mechanism. The analyzeTargetGlob pattern bin\Build*\** (added in #10940, fixed in #10953) only matches build/test job output directories, but the MSI conversion job has no bin\Build*\ directory — it produces output under bin\msi-nupkgs\ instead.

Add bin\msi-nupkgs\** to the glob so the MSI conversion job has valid scan targets.

@jonathanpeppers
[build] Fix BinSkim failure in 'Convert NuGet to MSI' job
d9a62b9 
The 'Convert NuGet to MSI' job fails with:

    Could not parse glob pattern D:\a\_work\1\s\bin\Build*\**
    BINSKIM : error ERR997.NoValidAnalysisTargets : No valid analysis targets were specified.

This happens because the 1ES template applies sdl.binskim config globally
to all jobs. The analyzeTargetGlob pattern 'bin\Build*\**' only matches
build/test job output directories, but the MSI conversion job has no
bin\Build*\ directory — it produces output under bin\msi-nupkgs\ instead.

Add bin\msi-nupkgs\** to the glob so the MSI conversion job has valid
scan targets.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 17, 2026 17:42
Copilot AI reviewed Mar 17, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the 1ES SDL BinSkim configuration in the main Azure Pipelines definition to ensure security scanning includes outputs from the NuGet-to-MSI conversion job while continuing to avoid scanning test outputs that generate known false positives.

Changes:

  • Expand binskim.analyzeTargetGlob to include both build outputs (bin\Build*\**) and MSI conversion outputs (bin\msi-nupkgs\**).
  • Add clarifying comments explaining why multiple patterns are needed and why bin\Test* is intentionally excluded.

@jonathanpeppers
Copy link
Member Author

jonathanpeppers commented Mar 18, 2026

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Mar 18, 2026

Azure Pipelines successfully started running 1 pipeline(s).

@jonathanpeppers jonathanpeppers merged commit 0f6a01b into dotnet:main Mar 18, 2026
9 of 40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@grendello grendello Awaiting requested review from grendello grendello is a code owner

@simonrozsival simonrozsival Awaiting requested review from simonrozsival simonrozsival is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jonathanpeppers