Open Zacharias3D opened 11 months ago
HaGGi13
commented
10 months ago Hello,
AFAIK and I saw in the code, the extension uploads the analysis result and if enabled log file (verbose logging) to the build artifacts. You'll find the code in following snipped in line 218 and 2023:
As you'll find in the MS Docs > Supported scopes, this can be done with scope vso.build_execute that was defined for this extension.
BR, CW
Zacharias3D
commented
10 months ago Hi @HaGGi13!
Thanks for your answer. I don't agree that publishing artifacts need the "Build & Execute"-permission. imo the Microsoft Doc states that the permission is needed to access already built artifacts but I might be wrong here.
Still, if your statement is correct, the "Build"-permission should suffice.
I would advise the developers of the extension to test the extension w/o granting the "Build & Execute"-permissions and see whether all the features are still working properly.
The reason I think this is so important is that CVE-checks will mostly be used in pipelines by companies, which have to comply to certain security guidelines. Granting a DevOps-extension, which does not have the greatest popularity or developer count and updates itself more or less regularly, the "Build & Execute"-permission, might seem very critical to those companies.
Anyways, thanks a lot for your response! I just think that you need no permissions to publish pipeline artifacts from a extension.
Greetings, Zacharias3D
Hi there,
we've noticed that the DevOps-extension needs "Build (read and execute)" permissions and we where wondering why the execute is needed.
Can someone elaborate?
Thanks!