From fb7e1f133f467a534065e2ad4ab7e6b6005bbfe9 Mon Sep 17 00:00:00 2001
From: Yi Zhang <zhanyi@microsoft.com>
Date: Wed, 28 Jun 2023 06:40:49 +0800
Subject: [PATCH] [Fix] TSA Upload failed in nuget pipeline. (#16476)

### Description
partially revert PR  #16244.


### Motivation and Context
npm pipeline couldn't triggered if nuget pipeline status is warning.


### Test Run

https://dev.azure.com/aiinfra/Lotus/_build/results?buildId=321873&view=logs&s=b17bed5b-cc14-5026-390a-fb2feea063f2
---
 .../nuget/templates/dml-vs-2022.yml           |  2 +
 .../azure-pipelines/templates/compliance.yml  | 49 +++++++++++++++++--
 2 files changed, 46 insertions(+), 5 deletions(-)

diff --git a/tools/ci_build/github/azure-pipelines/nuget/templates/dml-vs-2022.yml b/tools/ci_build/github/azure-pipelines/nuget/templates/dml-vs-2022.yml
index 94795c711c..0b8a7f642b 100644
--- a/tools/ci_build/github/azure-pipelines/nuget/templates/dml-vs-2022.yml
+++ b/tools/ci_build/github/azure-pipelines/nuget/templates/dml-vs-2022.yml
@@ -278,6 +278,8 @@ stages:
         - template: ../../templates/compliance.yml
           parameters :
             msbuildPlatform: ${{ parameters.sln_platform }}
+            ${{ if eq(variables.vsVersion, '2019') }}:
+              vs2022: false
 
       - template: ../../templates/component-governance-component-detection-steps.yml
         parameters :
diff --git a/tools/ci_build/github/azure-pipelines/templates/compliance.yml b/tools/ci_build/github/azure-pipelines/templates/compliance.yml
index c48c873a92..b0722cecdc 100644
--- a/tools/ci_build/github/azure-pipelines/templates/compliance.yml
+++ b/tools/ci_build/github/azure-pipelines/templates/compliance.yml
@@ -4,6 +4,11 @@ parameters:
   type: string
   default: x64
 
+- name: vs2022
+  displayName: If the Visual Studio version is 2022
+  type: boolean
+  default: true
+
 steps:
 - task: CredScan@2
   displayName: 'Run CredScan'
@@ -18,10 +23,44 @@ steps:
     arguments: 'analyze $(Build.BinariesDirectory)\RelWithDebInfo\RelWithDebInfo\*.dll  --recurse --verbose'
   continueOnError: true
 
-- task: TSAUpload@2
-  displayName: 'TSA upload'
-  condition: and (succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+- task: DeleteFiles@1
+  displayName: 'Delete files from $(Build.BinariesDirectory)\RelWithDebInfo'
   inputs:
-    GdnPublishTsaOnboard: false
-    GdnPublishTsaConfigFile: '$(Build.sourcesDirectory)\.gdn\.gdntsa'
+    SourceFolder: '$(Build.BinariesDirectory)\RelWithDebInfo'
+    Contents: |
+     **/*.obj
+     **/*.pdb
+     **/*.dll
+#Manually set msBuildCommandline so that we can also set CAExcludePath
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-prefast.SDLNativeRules@2
+  displayName: 'Run the PREfast SDL Native Rules for MSBuild'
+  inputs:
+    userProvideBuildInfo: msBuildInfo
+    msBuildArchitecture: x64
+    ${{ if eq(parameters.vs2022, false)}}:
+      msBuildVersion: 16.0
+      msBuildCommandline: '"C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\MSBuild\Current\Bin\amd64\msbuild.exe" "$(Build.BinariesDirectory)\RelWithDebInfo\onnxruntime.sln" /p:platform="${{parameters.msbuildPlatform}}" /p:configuration="RelWithDebInfo" /p:CAExcludePath="$(Build.BinariesDirectory);$(Build.SourcesDirectory)\cmake;C:\program files (x86)" /p:VisualStudioVersion="17.0" /m /p:PreferredToolArchitecture=x64'
+    ${{ else }}:
+      msBuildVersion: 17.0
+      msBuildCommandline: '"C:\Program Files\Microsoft Visual Studio\2022\Enterprise\MSBuild\Current\Bin\amd64\msbuild.exe" "$(Build.BinariesDirectory)\RelWithDebInfo\onnxruntime.sln" /p:platform="${{parameters.msbuildPlatform}}" /p:configuration="RelWithDebInfo" /p:CAExcludePath="$(Build.BinariesDirectory);$(Build.SourcesDirectory)\cmake;C:\program files (x86)" /p:VisualStudioVersion="17.0" /m /p:PreferredToolArchitecture=x64'
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-report.SdtReport@1
+  displayName: 'Create Security Analysis Report'
+  inputs:
+    BinSkim: true
+    BinSkimBreakOn: WarningAbove
+    CredScan: true
+    SDLNativeRules: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-publishsecurityanalysislogs.PublishSecurityAnalysisLogs@2
+  displayName: 'Publish Security Analysis Logs'
+  continueOnError: true
+
+- task: securedevelopmentteam.vss-secure-development-tools.build-task-uploadtotsa.TSAUpload@1
+  condition: and (succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/main'))
+  displayName: 'TSA Upload'
+  inputs:
+    tsaVersion: TsaV2
+    codeBaseName: 'onnxruntime_main'
   continueOnError: true