Internet Explorer is no longer supported. Many things will still work, but your experience will be degraded and some things won't function. Please use a modern browser such as Edge, Chrome, or Firefox.

HOWTO: SCA Integration with BuildMaster

view on GitHub

By connecting your BuildMaster instance to an existing ProGet instance, you can integrate ProGet's Software Composite Analysis (SCA) features. These will analyze the packages in your builds and raise issues. This will allow you to block deployment in the stages of your pipeline if issues exist in these packages. You can also allow the blocking of pre-release packages.

This guide explains how to configure your BuildMaster application to use ProGet SCA.

Step 1: Connect to ProGet

To connect your BuildMaster instance to ProGet you will need to generate an API key in ProGet first.

In your ProGet instance, navigate to "Administration" > "API Keys & Access Logs" under "Security & Authentication" and select "create api key". You will need at least "Manage Projects & Releases" selected, although you may wish to have "Upload SBOM documents" selected if you intend to upload these.

API Key

Select "Save". Then in your BuildMaster instance, navigate to "Administration" > "API ProGet Integration" under "Security & Authentication", and select "Connect to ProGet". You will also be given the option to do this from the home page.

API Key

From here enter the ProGet server URL and your API Key.

Enter API Key

Step 2: Edit Build Script

Next, edit your Build script by navigating to "Settings" > "Scripts" and selecting your Build.

Script Edit

From here, select the ProGet feed you will use as your Package Source for your application. In this example we will be using ::public-nuget. You will also need to check "Scan for packages dependencies and record in ProGet". Then select "Save".

Script Template

Checking the "Scan for packages dependencies and record in ProGet" box will add pgscan to the Build Script. This will inspect built/compiled code, generate an SBOM document, and publish it to ProGet. We can see this as part of the Build script by viewing it in OtterScript:

Otter

Step 3: Create a Build

Now, create the build by navigating to "Builds" > "Create New Build" and selecting "Create Build".

Create Build

You can now view the packages in this build by selecting it under "Builds" > "View Builds" and selecting the "Packages and Dependencies" tab.

View Packages

Step 2: Edit Pipeline

Next, edit your Pipeline to add requirements at different stages to prevent deployment when package issues exist. Navigate to "Settings" > "Pipelines" and select "edit".

Edit Pipelines

Scroll to the stages you wish to add requirements to and select "add". Then select "Edit Packages/Dependencies".

Edit Packages

In this example, we are going to check "No open issues" at the testing stage and "No unstable (pre-release) dependencies" at the production stage.

Checks

After making your changes scroll back to the top and select "Commit Changes" to finalize the pipeline.

Step 3: Deploy to Testing

We can see that the pipeline is now blocked as a license issue exists in one of our packages.

Testing Blocked

To resolve this, navigate to the "Packages and Dependencies" tab and select "Resolve Issue in ProGet", which will direct you to the "Issues" tab in your application's "Project".

Issues

From here, select the issue, and select "Resolve".

Resolve

Navigating back to your BuildMaster instance, the pipeline is now unblocked.

Unblocked

Select "Deploy" and then select "Deploy to Testing".

Deploy Build

Step 4: Deploy to Production

Now we see that the pipeline is now blocked as one of the dependencies is a pre-release package.

Production Blocked

You can resolve the issue by using an acceptable release package, but for the purpose of demonstration, we will force deployment at this stage.

Step 5: (Optional) Force Deployment

On occasions, you may wish to deploy, despite issues such as licenses or pre-release packages. In this case, you have the option of forcing deployment. In your pipeline, select "Force".

Force Deploy

Next, select "force" and then "Force Promotion" to deploy at the Production stage.

Force Build

Your application will now deploy.

Deployed