Run cve-bin-tool (#2490)

Author: mattleibow

scripts/azure-pipelines-cve.yml

@@ -0,0 +1,69 @@
+trigger: none
+
+pr: none
+
+parameters:
+  - name: buildId
+    displayName: 'The specific build ID to scan.'
+    type: string
+    default: 'latest'
+
+resources:
+  pipelines:
+    - pipeline: SkiaSharp
+      source: SkiaSharp
+      trigger: none
+
+pool:
+  name: Azure Pipelines
+  vmImage: ubuntu-20.04
+
+steps:
+
+  - task: UsePythonVersion@0
+    displayName: Switch to the correct Python version
+    inputs:
+      versionSpec: '3.x'
+      architecture: 'x64'
+
+  - pwsh: pip install cve-bin-tool
+    displayName: Install the CVE Binary Tool
+
+  - pwsh: cve-bin-tool --update now --nvd-api-key ${env:NVD_TOKEN}
+    displayName: Update the database
+    continueOnError: true
+
+  - template: azure-templates-download-artifacts.yml
+    parameters:
+      sourceBuildId: ${{ parameters.buildId }}
+      artifacts:
+       - name: nuget-signed
+
+  - pwsh: |
+      foreach ($nupkg in (Get-ChildItem output/*.nupkg)) {
+        $dest = "output/temp-nuget/$($nupkg.Name.TrimEnd('.nupkg'))"
+        Write-Host "Extracting '$nupkg' to '$dest'..."
+        Expand-Archive $nupkg $dest
+      }
+      New-Item output/logs -Type Directory -Force | Out-Null
+    displayName: Extract all the packages
+
+  - pwsh: |
+      cve-bin-tool output/temp-nuget --format html,console --output-file output/logs/report.html --triage-input-file scripts/guardian/cve-triage.json
+      Get-Content output/logs/report.txt | Write-Host
+    displayName: Run the CVE Binary Tool
+
+  - task: PublishPipelineArtifact@1
+    displayName: Upload the final report
+    condition: always()
+    inputs:
+      targetPath: output/logs
+      publishLocation: 'pipeline'
+
+  - pwsh: |
+      $content = (Get-Content output/logs/report.txt -Raw)
+      $content = '```' + [Environment]::NewLine + $content + [Environment]::NewLine + '```'
+      $content | Set-Content output/logs/report.txt
+      Write-Host "##vso[task.uploadsummary]$(Build.SourcesDirectory)/output/logs/report.txt"
+    displayName: Upload the build summary
+    condition: always()