From e941a7ce21f6f8a59b35d056ab94de118652a193 Mon Sep 17 00:00:00 2001
From: Mitch Zhu <mitchzhu@microsoft.com>
Date: Thu, 20 Feb 2025 18:17:00 +0000
Subject: [PATCH] Install binskim through dotnet sdk

---
 .github/workflows/binskim.yaml | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/binskim.yaml b/.github/workflows/binskim.yaml
index b35ea84c54b6..b924ec15c164 100644
--- a/.github/workflows/binskim.yaml
+++ b/.github/workflows/binskim.yaml
@@ -22,25 +22,31 @@ jobs:
           echo "Installing dependencies..."
           sudo apt-get update
           sudo apt-get install -y git golang rustc cargo build-essential protobuf-compiler libprotobuf-dev expect libssl-dev clang libseccomp-dev btrfs-progs libdevmapper-dev cmake libfuse-dev
+          sudo add-apt-repository ppa:dotnet/backports
+          sudo apt-get install -y dotnet-sdk-9.0 aspnetcore-runtime-9.0 dotnet-runtime-9.0 zlib1g
 
-
-      - name: Download and Install BinSkim
+      - name: Set up BinSkim
         run: |
-          echo "Downloading BinSkim..."
-          curl -L -o binskim https://github.com/microsoft/binskim/releases/latest/download/BinSkim-linux-x64
-          chmod +x binskim
-          sudo mv binskim /usr/local/bin/
-          echo "BinSkim installed successfully."
-          binskim --version || echo "BinSkim installed but no version command."
+          dotnet new console -n TempConsoleApp
+          cd TempConsoleApp
+          echo "Installing BinSkim version 1.9.5"
+          dotnet add package Microsoft.CodeAnalysis.BinSkim --version 1.9.5
+          ls ~/.nuget/packages/microsoft.codeanalysis.binskim/
+          sudo mv ~/.nuget/packages/microsoft.codeanalysis.binskim/ $GITHUB_WORKSPACE
+          echo "BinSkim files moved to: $GITHUB_WORKSPACE"
+          ls $GITHUB_WORKSPACE
+          echo "BINSKIM_EXECUTABLE=${GITHUB_WORKSPACE}/microsoft.codeanalysis.binskim/1.9.5/tools/netcoreapp3.1/linux-x64/BinSkim" >> $GITHUB_ENV
 
       - name: Build kata artifacts
         run: |
+          echo "Building kata-agent binary"
           agent_make_flags="LIBC=gnu OPENSSL_NO_VENDOR=Y DESTDIR=${AGENT_INSTALL_DIR} BUILD_TYPE=${AGENT_BUILD_TYPE}"
           agent_make_flags+=" AGENT_POLICY=yes"
           pushd src/agent/
           make ${agent_make_flags}
           popd
 
+          echo "Building kata-runtime binary"
           runtime_make_flags="SKIP_GO_VERSION_CHECK=1 QEMUCMD= FCCMD= ACRNCMD= STRATOVIRTCMD= DEFAULT_HYPERVISOR=cloud-hypervisor 
             DEFMEMSZ=0 DEFSTATICSANDBOXWORKLOADMEM=512 DEFVCPUS=0 DEFSTATICSANDBOXWORKLOADVCPUS=1 DEFVIRTIOFSDAEMON=${VIRTIOFSD_BINARY_LOCATION} PREFIX=${INSTALL_PATH_PREFIX}"
           runtime_make_flags+=" CLHPATH=${CLOUD_HYPERVISOR_LOCATION}"
@@ -54,6 +60,7 @@ jobs:
           make all
           popd
 
+          echo "Building tardev-snapshotter service binary"
           pushd src/tardev-snapshotter/
           make all
           popd