Home on Codewrecks

AI Browser Agents and Security: Isolation Levels to Protect Your Digital Life

Mon, 02 Feb 2026 06:00:00 +0000

AI browser agents are becoming increasingly powerful. Tools like Anthropic’s Claude, OpenAI’s Operator, and similar products can navigate the web on your behalf, clicking buttons, filling forms, and interacting with services. This is incredibly useful, but it introduces a security problem that many people overlook.

If the AI controls a browser where you are logged into all your primary accounts, you are giving it the keys to your digital life.

Why VS Code for C# Developers

Tue, 06 Jan 2026 06:00:00 +0000

If you’re a C# developer who has relied on a full Visual Studio IDE for years, Visual Studio Code (VS Code) might look like too small a tool for serious work. In reality with big solutions you will find full Visual Studio more productive but Visual Studio Code now has some specific features that makes it more useful especially for small project.

C# Developer Toolkit

For productive C# development in VS Code you only need a few well-chosen pieces: the .NET SDK and dotnet CLI, the official C# extension (OmniSharp) for IntelliSense and debugging, a Test Explorer adapter for running unit tests, and a couple of linters/analysers (EditorConfig, Roslyn analyzers or StyleCop) to keep code consistent. These core tools give you a fast edit-build-test loop while keeping your environment simple and reproducible.

GitHub Copilot Plan-Then-Execute: Leveraging Background Agents and Git Worktrees

Sat, 03 Jan 2026 10:00:00 +0000

GitHub Copilot: Plan Then Execute in Background with Git Worktree

GitHub Copilot’s recent evolution has introduced a revolutionary capability that fundamentally changes how developers can delegate work to AI: the ability to plan first and then execute in background using git worktrees. This feature represents a real evolution of your everyday worfklow with AI coding assistants.

The Problem with Synchronous AI Development

When working with traditional AI assistants in the IDE, we often find ourselves in a situation of tight coupling between us and the AI: the process is synchronous, it is like asking to a colleague to write some code, then wait for them to finish and review. The problem with AI assistant is that I do not want to waste my time waiting for it to finish: I want to be able to delegate the work and continue working on other tasks while the AI works in background and finally presents me with the results.

First experiments with Claude Code - Writing specs

Sat, 02 Aug 2025 06:00:00 +0000

When vibe coding, detailed specifications are highly advisable. The more freedom given to the model, the more the result can deviate from your needs.

Using a model to help write detailed specifications is an easy way to accomplish this.

This allows you to quickly generate good, detailed specs that you can manually refine. I often use various models with Open Web UI for this.

Now that Claude Code offers agents, and creating an agent is simple, I immediately tried creating agents to automate this process. The results are promising, but not perfect. Claude Code seems focused on writing code and tends to over-deliver. Starting with a simple idea and asking Claude Code to create an agent for brainstorming detailed specifications yields good results, but how good are they?

Call o3-pro in Azure OpenAI using C# SDK

Wed, 16 Jul 2025 06:00:00 +0000

Azure OpenAI supports now o3-pro model. This model is different from other ones, here is a brief summary of its advantages: The o3-pro model excels at advanced reasoning, delivers high accuracy, supports long-context tasks, and integrates powerful tools like web search and code execution. It’s cost-effective, reliable, and ideal for complex workflows in research, business, and creative fields.

You can find tons of example on how you can call Azure OpenAI models with C# Nuget Package but o3-pro is a slightly different beast. The usual problem is you will use existing code and you got this error.

Pin GitHub action SHA to avoid security risk

Sun, 16 Mar 2025 08:00:00 +0200

The problem

When you author GitHub action pipelines, you usually use third party actions, that can be easily referenced in your workflow with simple syntax.

Usually you refer to a github action in your workflow with the following syntax

1
2
3
4
5


- name: Setup Hugo
 uses: peaceiris/actions-hugo@v2
 with:
 hugo-version: '0.128.0'
 extended: true

This is the standard way to use a third party action inside your workflow, you specify the name of the repository in the uses part of the step, and then specify parameters.

SonarCloud analysis in GitHub Actions

Fri, 28 Feb 2025 06:00:00 +0200

Running Sonar Cloud analysis on your open source project is usually a good thing, it is free, it gives you tons of useful information and you can automate everything for free with GitHub Actions.

I’ve dealt with this ckind of functinoality before in my blog, today I want just to show how to create a GH action that works in linux, because usually if you take the original action from SonarCloud site it will use a windows machine for building.

Understanding Azure DevOps Pipeline Statistics

Tue, 11 Feb 2025 08:00:00 +0200

Pipeline statistics in Azure DevOps provide a wealth of information that can help you understand the performance and efficiency of your pipelines. Even with really basic informations you can have interesting information. Lets examine

Figure 1: Pipeline statistics dashboard in Azure DevOps

My favorite information (1) is the 80th percentile of pipeline duration, this indicates me if for some reason some pipeline is becoming slower. Actually in Figure 1 I can see that seems to be an increase in pipeline duration. With (2) you can immediately understand which is the step that predates the execution time. In this example it is not a mistery, the IN-PROCESS step is actually running a full suite of integration test that uses MongoDB, Elasticsearch, and a complex software end-to-end without the UI.

Pill: Problems in Azure DevOps Pipelines due to Shallow Fetch

Sun, 02 Feb 2025 06:00:00 +0200

In Azure DevOps, pipelines are a fundamental component for automating the build and release process. One of the key optimizations in these pipelines is the use of shallow fetch when cloning repositories. Unlike a full clone, which downloads the entire history of the repository, a shallow fetch retrieves only the specific commit needed for the build. This is a really welcomed feature, because repositories can contain years of history, or they can have some big file committed by error in some older commit.

Azure DevOps Pills: Hide not used features from Team Projects

Tue, 21 Jan 2025 08:12:42 +0200

Azure DevOps is a really complete set of functionalities to manage your Development Team and more. As you can see from Figure 1, it has five main Macro Set of Features that you can use. All these features are visible in the five icons in the lower right part of the card of each Team Project

Figure 1: AzDo five main features blocks

The very same five macro Feature set is visible on the left menu when you work with the detail of the Team Project. These part are, left to right

Azure DevOps Pills: Differences between old and new release pipeline

Sun, 05 Jan 2025 08:12:42 +0200

Happy New Year to everyone. Today I’ll deal with a common question I got from customer regarding Azure DevOps release pipeline. The problem arise because we already had a GUI based pipeline in the past and then we had a fully YAML pipeline so people are somewhat puzzled on which one to use in their scenario.

When you have two way to do the same thing you are often confused on which tool to use to reach your goal

Azure DevOps Pills: Cleanup on premise pipeline agents

Mon, 02 Dec 2024 08:00:42 +0200

Managing pipeline/build agents is something that you should avoid if possible, preferring docker based agents or Microsoft hosted agents. Sometimes this is not a viable options, especially if you have lots of integration tests, that runs on mongodb/elasticsearch/etc etc. While it is quite simple to create a pipeline that uses docker to run these prerequisites speed is sometimes a problem that makes this solution not so feasible.

Azure DevOps has a cost for pipeline that is based on concurrent execution, so it is quite important that pipelines run fast to use less license but, more important, to give a quick feedback to the team. For this reason, we use physical machines, with quick NVMe Disks, RAM and Mongodb / Elastic / SQL installed on bare metal for maximum speed for integration tests.

Pills: Accessing your Git Repositories in Azure DevOps in Linux

Mon, 18 Nov 2024 08:10:42 +0200

When you need to access your Git Repositories hosted on Azure DevOps in Linux, you have basically two distinct options.

The first one is the classic ssh protocol, that is well know to everyone working with linux systems.

Figure 1: Choosing SSH as protocol to clone from Azure DevOps

This is the preferred way to access from linux system but sadly, Azure DevOps still not support Hardware Key based SSh keys, so you are limited to use standard RSA keys as you can see in Figure 2. Actually this is quite a limitation for those used to Yubikeys or Google Titan keys.

Using Castle Windsor in .NET 8

Thu, 14 Nov 2024 08:00:00 +0200

Microsoft introduced Dependency Injection in the base framework with .NET Core, but until then, with the classic framework, we used external libraries, I’ve used Castle Windsor for years without any problem, but when .NET 8 was out, we start having tons of problems.

The main problem is that with .NET 8 Microsoft introduced a concrete and working implementation of Named Dependencies, you can find some details here. The problem is that Castle Windsor Adapter does not work with keyed services, so I wrote with my friend Alessandro a working version, that is still in PR with the official driver.

Pill: Unable to change Work Item type in Azure DevOps

Wed, 13 Nov 2024 08:10:42 +0200

Today I got a strange error in Azure DevOps, I create a new Product Backlog Item, while I was writing it I realized that it would be better to create a Bug Type. My natural reaction was, save and then use the Change Type command, but I got this error.

Figure 1: Error Changing a Work Item Type

Work item type(s) cannot be moved because it is disabled, hidden or not supported.

Pills: Connect Azdo to external software

Mon, 21 Oct 2024 06:10:42 +0200

In our team, everything regarding developing is kept in Azure DevOps, but other informations are stored inside a custom software, so we often have the need to jump between a system and the other one. The actual connection is, one element in our software is bound to one or more Work Items in Azure DevOps.

Desired result is: Ability to easily create a connection between the two, reduce the need to jump between the two system to see key information.

Azure DevOps: Cleanup Docker images for your Pull Requests

Tue, 09 Jul 2024 07:00:42 +0000

This article is a prosecution of the previous one on creating Docker Images for your Pull Requests and deals with cleanup of your Docker Registry.

Authentication to Azure

In Azure DevOps you can use connected services to connect to Azure Accounts or external services, but since I’m using mainly PowerShell scripts inside my repository, I often prefer using a Service Principal. This is a good practice because you can limit the access of the service principal to only the resources it needs to access, and you can revoke the access at any time.

Azure DevOps: Create Docker images for a Pull Request

Sun, 07 Jul 2024 07:00:42 +0000

The whole Pull Request process mechanism has a single purpose, have a better quality of the code that reach develop or generally speaking main branch. The ability to share the code and being able to get feedback from other members of the team is invaluable, but it is enough?

The basic concept is: develop is a branch that should be considered production and it is not uncommon for teams to deploy develop branch automatically in internal production servers, a procedure called dogfooding. Here in Nebula Team we deploy automatically develop branch in our internal production servers, and sometimes you intercept bug before they hit master and production of all customer.

GitHub Copilot Workspace: first impression

Thu, 13 Jun 2024 06:00:00 +0000

I have the luck to have enabled the technical preview of Github Copilot Workspace. As every good developer, I immediately jump at it, without reading anything (spoiler you have a good user manual) that can be used to move your first steps into this marvelous world. Not reading the documentation is for me a good way to start using it and verify how intuitive is the tool and what it can do into a real project.

Azure DevOps: Package source mapping in pipeline

Tue, 21 May 2024 07:00:42 +0000

If you use more than one Nuget Feed in your solution and especially if you are using central package versioning, you probably got a warning telling you to use Package Source Mapping. The process is straightforward, it consist in modifying your nuget.config file to specify for each package the source feed where nuget can find the package.

Here is an example for a solution I’m working:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


<?xml version="1.0" encoding="utf-8"?>
<configuration>
 <packageRestore>
 <add key="enabled" value="True" />
 <add key="automatic" value="True" />
 </packageRestore>
 <activePackageSource>
 <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
 <add key="ProximoAzDo" value="https://pkgs.dev.azure.com/xxx/_packaging/yyy@Local/nuget/v3/index.json" />
 </activePackageSource>
 <packageSources>
 <add key="nuget.org" value="https://api.nuget.org/v3/index.json" />
 <add key="ProximoAzDo" value="https://pkgs.dev.azure.com/xxx/_packaging/yyy@Local/nuget/v3/index.json" />
 </packageSources>

 <packageSourceMapping>
 <packageSource key="nuget.org">
 <package pattern="*" />
 </packageSource>
 <packageSource key="ProximoAzDo">
 <package pattern="Jarvis*" />
 <package pattern="Proximo*" />
 </packageSource>
 </packageSourceMapping>
</configuration>

As you can see I have two different feed, one is nuget.org and the other is a private feed hosted in Azure DevOps. In the ProximoAzdo I can simply specify with wildcard the name of the packages that are to be taken from that specific feed, while the nuget.org has the generic * and is used for anyhing else.

GitHub action with ElasticSearch integration tests and SonarCloud

Tue, 23 Apr 2024 08:00:00 +0200

I blogged in the past on how you can Analyze you code with SonarCloud in a GitHub action. Things changed a little in the latest year but in this post I want to examine a different aspect running tests that rely on external service, like ElasticSearch. Running integration test in GH action is a little more complex than running unit tests, because you need to setup the environment but thanks to docker usually this can be done with a little effort.

Pill: Create an environment in an AzDo pipeline

Tue, 19 Mar 2024 08:10:42 +0200

Scenario: We have to create a new environment for a new customer, and an environment consists of some resources on Azure, plus an environment in azure DevOps to use with deploy pipeline. Since we are deploying with Azure DevOps pipeline, it makes sense to create everything for new customer environment with another pipeline.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34


stages: 
 
 - stage: create_environment
 jobs:
 - job: create_environment
 displayName: "Create environment if not present"
 pool:
 vmImage: windows-latest
 steps:
 - powershell: |
 write-Host "We are about to create the environment with api if not present"
 
 # Need to create the token in basic auth
 $AuthHeaders = @{
 "Authorization" = 'Basic ' + [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(":$(AccessToken)")) 
 "Content-Type" = "application/json"
 }
 $listEnvironment = Invoke-RestMethod -uri "https://dev.azure.com/org/teamproject/_apis/distributedtask/environments?api-version=7.1-preview.1" -Headers $AuthHeaders

 # Now check if some of the environment already was present in the list.
 $envExisting = $listEnvironment.value | Where-Object { $_.name -eq "$(customer_fullname)" }

 if ($envExisting) {
 Write-Host "The environment already exists"
 exit 0
 } 
 
 # Create an environment because it does not exists
 $createEnvPayload = @{
 name = "$(customer_fullname)"
 description = "Created by pipeline"
 } | ConvertTo-Json
 $createUri = "https://dev.azure.com/org/teamproject/_apis/distributedtask/environments?api-version=7.1-preview.1";
 Invoke-RestMethod -uri $createUri -method POST -Headers $AuthHeaders -Body $createEnvPayload

As you can see the stage contains a job that is used to create an environment. This is based on a secret contained in the pipeline called AccessToken that is used to authenticate to Azure DevOps REST API. The script is quite simple, it first retrieves the list of environments and then checks if the environment is already present. If it is not present, it creates a new environment with a simple POST request to the REST API of Azure DevOps.

Pills: Enhancing Azure DevOps WorkItems with Hyperlinking to External Documentation

Tue, 12 Mar 2024 08:12:42 +0200

A frequently overlooked feature that can significantly enhance functionality in Azure DevOps is the ability to attach links to a WorkItem. A common question among users is: “Can I manage documentation in tools like SharePoint and then easily link it to my project in Azure DevOps?” This query arises because there’s often a limitation on how much text can be written directly into a WorkItem, and it’s convenient to attach documentation.

Pills: What to do when dotnet restore failed with 401 against an internal feed

Fri, 23 Feb 2024 08:10:42 +0200

This is an argument I’ve already discussed in the past in A post about nuget authentication. From a couple of days, in a project I’m working into the service started to return 401 even with the technique described in the aforementioned post.

The sympthom is this error in the script that executed dotnet restore command.

 Unable to load the service index for source https://pkgs.dev.azure.com/organizaion/_packaging/FeedName@Local/nuget/v3/index.json.
 Response status code does not indicate success: 401

In such a situation here is what you need to do to try to solve the problem.

Azure Devops Api - Update list of allowed values for Custom Fields

Thu, 22 Feb 2024 07:12:42 +0200

The ability to customize process of Azure DevOps is one of the most powerful feature of the platform. Usually you add custom fields to work items to allow tracking information related to your own process and for your organization. One of the most common question I got usually is:

How can I create a field that allows for a series of values that is taken from a database of mine?

Pills: Exploring Agent Options in Azure DevOps Pipelines: Managed vs. Self-Hosted

Thu, 01 Feb 2024 08:10:42 +0200

When configuring Azure DevOps pipelines, developers have a choice to make regarding the execution environment for their pipelines: they can either leverage Microsoft-managed agents provided in Azure or opt to self-host agents on their own infrastructure, whether that be on-premises virtual machines or cloud-based instances. One of the first question that arise is: which I need to use for my organization? Let’s explore the pro and cons of each option.

Pills: Do not miss repository policies in Azure DevOps

Fri, 19 Jan 2024 08:10:42 +0200

If you use Azure DevOps, it’s worth checking in repository settings page all the settings related to the policies of the repository itself. This is because often this type of setting is completely ignored, and you lose the opportunity to have very important controls on the repository itself.

As you can see in Figure 1, there are many interesting policies that can help your team to keep a nice and healty repository.

Pill: Include files in your publish profile for C# projects

Tue, 16 Jan 2024 08:00:00 +0200

When publishing an ASP.NET core web project, it’s often necessary to include certain files external to the Visual Studio solution but that are logical part of the project. A typical example is frontend build from angular projects. For web projects, it’s also common to include some static resources that might be outside of the web project, like images or files.

At this point, we want the Azure DevOps pipeline to correctly include all these external files in the final artifacts.

Pill: Enhancing DevOps with Automated Pull Requests

Fri, 12 Jan 2024 08:10:42 +0200

Pull requests are a cornerstone of collaborative software development, particularly with distributed version control systems like Git and platforms such as GitHub or Azure DevOps. However, managing pull requests can become cumbersome, particularly for branches undergoing extensive modifications and receiving frequent feedback. This complexity is evident when preparing a pull request only to find it needs additional changes due to peer review, necessitating a complete retest of the code.

Such workflows highlight the challenges in finalizing a branch. Developers often find themselves continuously switching to the branch in question to change the code based on other members feedback, re test everything, signal to other members that the PR is updated then move to another branch and repeat. This is where a comprehensive suite of automated tests, including end-to-end tests, becomes invaluable. These tests should cover the entire spectrum of the development process: building the solution, packaging artifacts, deploying to a test server, and conducting basic functionality checks.

Resolving .NET8 SDK Resolver Failure in Azure DevOps Pipelines

Fri, 05 Jan 2024 07:10:42 +0200

I encountered a problem with a simple pipeline designed for building a .NET Core project, which I had recently updated to .NET8. After updating the pipeline file to use the new version of the SDK, I faced an unexpected issue: all builds started failing with this error.

##[error]src\Intranet\Jarvis.Common.Shared\Jarvis.Common.Shared.csproj(0,0): Error MSB4242: SDK Resolver Failure: "The SDK resolver 'Microsoft.DotNet.MSBuildSdkResolver' failed while attempting to resolve the SDK 'Microsoft.NET.Sdk'. Exception: 'Microsoft.NET.Sdk.WorkloadManifestReader.WorkloadManifestCompositionException: Manifest provider Microsoft.NET.Sdk.WorkloadManifestReader.SdkDirectoryWorkloadManifestProvider returned a duplicate manifest ID '16.4.8968-net8-rc2'.

I was really puzzled because I had the same SDK directory on my computer, and it was workgin without any issues, but failing on that build server.

GitHub Secrets Scanning and Push Prevention

Thu, 04 Jan 2024 08:00:00 +0200

The risk of inadvertently including secrets in your Git repository has significantly increased in recent years. GitGuardian, a company providing solutions to prevent secret leakage in repositories, reports astonishing numbers regarding the quantity of secrets leaked in Git repositories. State of Secrets Sprawl Report 2023

Figure 1: More than 10 million secrets leaked, and the number raises every year

Allow easy source debugging for Nuget Packages and GitHub

Sun, 31 Dec 2023 08:00:00 +0200

In my previous blog posts, I’ve extensively discussed how to publish symbol libraries for .NET in Azure DevOps / Team Foundation Server. Azure DevOps has supported symbol server functionalities for a considerable time, making it straightforward to add steps in your build process for indexing your source code. This capability enables you to publish your .NET libraries to either an internal or public NuGet feed and facilitates stepping into the original source code for debugging directly within Visual Studio.

Always use rebase when you pull in Git

Sun, 31 Dec 2023 06:00:00 +0000

I have always suggested people to only use rebates when you pull changes from the branch you are working on in git. And this because, actually, using merge will make your repository history a mess.

For a lot of years, this kind of suggestion was not so common. I’ve always looked at the teams happily used merge and then complain about how difficult is to read the story of the repository. At a certain moment, get added a nice option that changed the default strategy of reconciled modification when you pull. And instead of using standard merge, you can configure to use rebase.

Streamlining Cloud Deployment: Azure DevOps and AWS Integration Strategies

Thu, 14 Dec 2023 08:50:42 +0000

Let’s assume we need to deploy in a cloud environment and prefer not to install an agent on each physical environment. For example, managing numerous agents across multiple virtual machines becomes cumbersome from an Azure DevOps standpoint. While we can surely create an environment for each distinct installation, usually this create some burden administrating the agents.

In such a scenario, the optimal approach is to create simple PowerShell or Bash installation scripts that will be distributed along pipeline artifacts. These scripts simply will deploy artifacts in local machine without need of an agent. The only challenge that remains is how to transfer the pipeline artifacts and scripts to the target machines.

Running GitVersion in Azure DevOps pipeline with dontet tool

Mon, 11 Dec 2023 10:00:42 +0200

For me, running GitVersion as part of a Pipeline is a golden standard. I barely remember a pipeline that does not use GitVersion as first task. The reason is simple, it allows me, at least, to give a better naming to build names. Instead of having meaningless date base number I have a semantic build that immediately gives me the idea of what was built.

At least GitVersion can give a better name to a build, so why not using it?

Introductory video playlist about Semantic Kernel RC

Mon, 11 Dec 2023 06:00:00 +0000

Semantic Kernel reached Release Candidate and there are some breaking changes from the latest beta. For this reason I re-recorded a series of video I’ve planned a couple of week ago with all examples updated to RC3.

Here is the list on my youtube channel: Semantic Kernel Playlist

Call python function from C# - How you can call python code from C# to simplify interaction with LLM or other Models
Using new Handlebar templates - How to interact with a LLM (GPT in this example) with classic chat mode
Create plugins in C# - How to Create plugin in C# and call directly through kernel object
AutoPluginInvoker capabilities - Let Semantic Kernel automatically invoke plugin if needed during your chat interaction with GPT

All the videos are in my youtube channel.

Azure DevOps: Checkout specific branch to avoid gitversion errors in pipeline

Thu, 16 Nov 2023 00:00:00 +0000

If you create a new Azure DevOps Pipeline and include running GitVersion, sometimes you may encounter an error like the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24


INFO [11/15/23 19:00:57:95] Begin: Calculating base versions 
INFO [11/15/23 19:00:57:96] Begin: Attempting to inherit branch configuration from parent branch 
INFO [11/15/23 19:00:57:97] End: Attempting to inherit branch configuration from parent branch (Took: 3.55ms) 
INFO [11/15/23 19:00:57:97] End: Calculating base versions (Took: 12.03ms) 
ERROR [11/15/23 19:00:57:99] An unexpected error occurred: 
System.NullReferenceException: Object reference not set to an instance of an object. 
at LibGit2Sharp.Core.Handles.ObjectHandle.op_Implicit(ObjectHandle handle) in 
/_/LibGit2Sharp/Core/Handles/Objects.cs:line 509 
at LibGit2Sharp.Core.Proxy.git_commit_author(ObjectHandle obj) in /_/LibGit2Sharp/Core/Proxy.cs:line 289 
at LibGit2Sharp.Core.LazyGroup`1.Dependent`2.LibGit2Sharp.Core.LazyGroup<T>.IEvaluator<TInput>.Evaluate(TInput 
input) in /_/LibGit2Sharp/Core/LazyGroup.cs:line 88 
at LibGit2Sharp.Core.LazyGroup`1.<Evaluate>b__6_0(T input) in /_/LibGit2Sharp/Core/LazyGroup.cs:line 36 
at LibGit2Sharp.Core.GitObjectLazyGroup.EvaluateInternal(Action`1 evaluator) in 
/_/LibGit2Sharp/Core/GitObjectLazyGroup.cs:line 20 
at LibGit2Sharp.Core.LazyGroup`1.Evaluate() in /_/LibGit2Sharp/Core/LazyGroup.cs:line 34 
at LibGit2Sharp.Core.LazyGroup`1.Dependent`2.Evaluate() in /_/LibGit2Sharp/Core/LazyGroup.cs:line 80 
at LibGit2Sharp.Core.LazyGroup`1.Dependent`2.get_Value() in /_/LibGit2Sharp/Core/LazyGroup.cs:line 73 
at LibGit2Sharp.Commit.get_Committer() in /_/LibGit2Sharp/Commit.cs:line 87 
at GitVersion.Commit..ctor(Commit innerCommit) in 
D:\a\GitVersion\GitVersion\src\GitVersion.LibGit2Sharp\Git\Commit.cs:line 17 
at GitVersion.Commit.<>c.<.ctor>b__3_0(Commit parent) in 
D:\a\GitVersion\GitVersion\src\GitVersion.LibGit2Sharp\Git\Commit.cs:line 16 
at System.Linq.Enumerable.SelectEnumerableIterator`2.MoveNext() 
at System.Linq.Enumerable.Count[TSource](IEnumerable`1 source) 

When executing get version within a local directory, the operation typically proceeds without issues. However, complications can arise during the Azure DevOps pipeline process.

Azure DevOps: Script Caching in Azure DevOps

Mon, 30 Oct 2023 08:00:42 +0000

I’m authoring a release pipeline in Azure DevOps on an AWS ARM linux machine, I’ve installed the agent and created the script. The pipeline uses artifacts produced by another build pipeline and depends on a git repository that contains script. Here is how resources are declared in the pipeline.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


resources: 

 pipelines:
 - pipeline: UniqueHost
 source: Publish-UniqueHost
 branch: master

 repositories:
 - repository: JarvisSetupScripts
 type: git
 ref: feature/AWS
 name: JarvisSetupScripts

Usually the question is: why you store scripts in another repository?. The classic approach is writing release scripts inside the very same repository as source files, then include release script inside the build so release pipeline depends only on one or more pipeline. Personally having the script in a different repositories easy script authoring, because you can simply modify the script, push, and then immediately re-trigger the pipeline to verify that everything is working as expected.

Pills: Install release agent in ARM machines

Fri, 27 Oct 2023 09:12:42 +0200

With Azure Devops Environments you can register Virtual Machines with a dedicated agent that is capable of releasing your software. The procedure is simple, just create an environment, and a VM resource, and you are greeted with a minimal UI that let you choose configuration.

Figure 1: Configuring an agent for Azure DevOps environment

As you can see it just require you to select the operating system then you can copy in clipboard a simple script that you can execute in all machines you want to add in an environment. You need to have sudo rights to execute the script but running on ARM machine I got this.

Pills: Identify nuget packages with vulnerabilities

Fri, 27 Oct 2023 08:10:42 +0200

Managing references is easy with Nuget, however, from a security standpoint, it’s not straightforward to ensure your project’s security by upgrading vulnerable references. GitHub Dependabot does an excellent job flagging vulnerable references, and the entire GitHub ecosystem has a strong emphasis on security. This empowers developers to handle security in the packages they produce.

Recently, Visual Studio introduced a feature that immediately warns you if a package in your solution is insecure. You can also filter your installed packages to display only those with vulnerabilities.

Debugging Production Issues with Dump Files and Visual Studio

Tue, 19 Sep 2023 15:45:18 +0200

Sometimes, you may encounter a problem in a production environment, such as a service that suddenly starts consuming a significant amount of RAM and CPU. In the past, I’ve seen people attempt to install Visual Studio on a production server to debug the issue directly, instead of relying on logs or other techniques. However, there’s a better approach: creating a dump file of the problematic process from the Task Manager. You can just right-click the process on Task Manager and request a MiniDump.

Azure DevOps: delete all unstable version of packages in feeds

Fri, 08 Sep 2023 08:00:00 +0200

Azure DevOps has a dedicated section for artifacts that allows you to store NuGet, NPM feeds, and more. Thanks to its integration with pipelines, very often, automatic pipelines are generated that publish packages with every commit in the repository. This way, we have the opportunity to have all versions for all dev branches.

This approach is needed because the usual flow when you develop a new feature in a package is the following:

Modifying Azure DevOps Pipeline Decorators with Bing Chatbot Assistance

Tue, 29 Aug 2023 16:12:42 +0200

In the past, I’ve discussed using pipeline decorators to clean up build folders. Recently, I faced a challenge where I needed to modify my decorator to run only if there was a .git folder. To save time, I used Bing Chatbot, which leverages GPT powerful LLM and can search the internet to find latest contents, making this kind of problem-solving a breeze.

Remove submodule completely from your git repository

Mon, 28 Aug 2023 08:00:00 +0200

I have a project that uses git submodules in the past then they are removed long time ago, no-one had problem but I’ve noticed that Visual Studio had some strange warning during the build.

1

warning : Could not find a part of the path 'C:\develop\xxx\submodules\jarvis.catalog\.git'. The source code won't be available via Source Link.

It seems that Visual Studio Integration with Git still found information on submodules and tried to check something in corresponding folders. I’m not sure that this warning was present since we removed the submodule, it seems more that some settings changed, but nevertheless we still have some information in our repository pointing to old, not used anymore submodules..

Azure Pipelines starts failing indexing symbols

Mon, 31 Jul 2023 08:10:42 +0200

A build in Azure Devops recently started to fail during the index symbol task. The error wasn’t immediately clear. The error messages are really not informative, One such message was, “Request ed7b95f6b6f439e769a3e85422b7172be872403388fae1974fb4233dfd13da66 is sealed. Only expirationDate may be modified.”

Honestly, this error didn’t tell me much. My general advice when facing such perplexing errors is to examine the entire log. Given the vast size of the log, it’s wise to start with the most common areas where useful information can be found. In the case of most .NET-related tools, I began by inspecting what appeared to be a stack trace. A stack trace in the log often indicates something has gone wrong.

Resolving Credential Conflicts in Git

Fri, 21 Jul 2023 08:10:42 +0200

Have you ever found yourself being asked to select a GitHub account every time you make a push? This is often due to multiple access tokens being stored in your Windows credential manager.

The Git Credential Manager can become confused when it doesn’t know which account to use. It’s only option in these situations is to ask you which of the stored credentials it should utilize.

Using GitHub Command Line Tool to View Pull Request Info

Thu, 20 Jul 2023 08:10:42 +0200

For people like me who prefer using Git in the command line, there are times when I need to retrieve information about pull requests or other GitHub related tasks. For example, suppose I need to share a link to a pull request that is under review with one of my colleagues for them to comment on. Sure, I could navigate to the GitHub website, locate the repository, navigate to the pull request page and get the link. But, since I’m already in the command line, I’d prefer a faster way.

Pills: Azure Devops auto agents update

Tue, 18 Jul 2023 08:10:42 +0200

The ability to update Azure DevOps pipelines is a compelling feature, especially if you manage numerous on-premise agents. This feature eliminates maintenance issues by allowing all agents to be upgraded with just a single click.

Figure 1: One click update button

I have an agent that runs only when needed, and it’s slightly outdated. By simply clicking a button, I can prompt the server to update all the agents, and I’m sure that after seconds I’m running latest agent version.

GitHub Copilot-X in action: Steps instructions in a single prompt

Sat, 20 May 2023 07:00:00 +0000

If you look at previous post on the subject I’m experimenting with Copilot Chat to have it automate mundane, repetitive operation but that can operate on complex classes. In previous example I demonstrated how you can decompose a complex operation in multiple steps, actually guiding Copilot towards desired result.

Now the question is: Once you got it right, is it possible to use a single prompt to have desired result?

Well the answer is it depends. It is not simple because the AI needs to perform an intermediate series of steps and the result can:

GitHub Copilot-X in action: generation of test object with random data

Sat, 20 May 2023 06:00:00 +0000

In real world software you often have complex classes, in this situation we have AtomicReadmodels in a project heavily based on Event Sourcing. One challenge they present is the presence of only private setters for all properties - a necessity due to the unconventional nature of these classes, which rely on parsing domain events for property population. This results in difficulties when creating test classes in memory during unit testing, as the private setters block external code from setting properties. Reflection or usage of libraries such as Fasterflect are usually the solution but not without any annoyances.

Pills: npm private feeds and authentication

Wed, 17 May 2023 08:12:42 +0200

Have you ever encountered an issue obtaining an authentication token for your Azure DevOps npm package feed? Sometimes I got this

1
2
3


vsts-npm-auth v0.42.1.0
-----------------------
Couldn't get an authentication token for https://pkgs.dev.azure.com/prxm/_packaging/JarvisNpmGood/npm/registry/.

Private package feeds in Azure DevOps are incredibly useful, not just for Nuget packages, but for NPM as well. However you must follow the given instructions on the site to connect to your feed, and there will be times when you have to renew credentials. The problem is that npm feed in Azure Devops are usually private and under authentication/authorization. For this reason you need to install a special package to allow authentication. You can download tool here.

Unleashing the Power of Copilot in Visual Studio for Exception Handling

Fri, 12 May 2023 06:00:00 +0000

While running a program, when an exception occurs, sometimes it’s easy to figure out what caused it. Other times, it can be more complex, especially in the case of unique exceptions you might not be familiar with. Here, having Copilot chat inside Visual Studio offers an extra gear. Within the exception menu, we now have an option that allows us to ask Copilot for information on that specific exception.

Problem with Castle Windsor resolution in ASP.NET Core

Tue, 09 May 2023 09:40:00 +0200

Castle Windsor is a beautiful library for implementing inversion of control, but sometimes problem arise when it is used in projects that start with Full Framework and must be converted to ASP.NET Core during their lifetime. To make this work, an interdependency library is typically used to allow ASP.NET Core infrastructure to resolve dependencies using Castle. This approach helps avoid issues when replacing Castle with other libraries, since Castle is both powerful and complex, allowing for many customizations in dependency resolution. Since it’s not always easy to remove it and make room for new libraries the usual solution is to keep using Castle Winsor.

GitHub Copilot-X in action: simple code conversion

Tue, 09 May 2023 06:00:00 +0000

New Copilot X from GitHub is the next big thing for programmers, because it brings the power of copilot to the next level. Actually I’m testing the integrated chat in Visual Studio and Visual Studio Code. The tool is not always perfect, but we really need to understand how and where to use it to gain maximum advantage.

We often encounter conversion operations that are very mechanical, boring, and prone to errors due to their repetitiveness. When programming, we are very focused when doing something interesting, but when we perform simple operations, such as trivial conversions, we often make mistakes because our mind is elsewhere. Consider the following situation: you have an aspnet core controller that needs to be converted to a server-side Blazor component.

Pills: Maximizing the Power of Tags in Azure DevOps

Mon, 08 May 2023 08:10:42 +0200

In Azure DevOps, using tags allows you to easily classify work items. Rather than using additional process fields, tags offer a high level of classification ease because any team member can add a label to a work item.

In effect, the result is the ability to create a horizontal taxonomy that’s common to all work items and likely common to all team projects, enabling efficient filtering and categorization of Work Items.

Using GPT-4 to Create a Small Software Project from Specification

Sun, 16 Apr 2023 06:00:00 +0000

As a programmer, I often find myself seeking ways to expedite the initial stages of a software development project. GPT-4 has become a valuable tool in this regard, as it can help generate the foundational code for a new project. By leveraging the power of this advanced AI language model, I can significantly reduce the time and effort required for setting up a project, thus allowing me to focus on more complex aspects of the development process.

Troubleshooting GitHub Codespaces PGP Signing Problems

Thu, 13 Apr 2023 06:00:00 +0000

If you use GPG keys to verify your commits, you’ll be glad to know that in GitHub Codespaces, signing is done automatically. All you need to do is configure the settings in your account, and a key will be injected into your Codespaces. As a result, every commit you make in your Codespace will be automatically signed and verified.

Figure 1: Configure PGP in codespace

Simplifying Library Debugging with Azure DevOps Symbol Server

Tue, 21 Mar 2023 08:00:42 +0000

When developing a code library, it is good practice to publish it on a package manager like NuGet. A common objection to this approach is that using a library published as a package can make it difficult to debug the original code. However, this is not a significant issue as it encourages you to write unit tests within the same project in which you develop your library, ensuring that the library is well-tested and free of regressions. Nevertheless, there are times when it is convenient to debug the source code of the library while using in a real project. This is true especially for complex libraries where it is difficult to create unit tests that covers all options.

More secure Azure DevOps Pipelines API connection thanks to OAuth Tokens

Sun, 19 Mar 2023 07:12:42 +0200

In a previous blog post, I discussed how to reschedule the check of a pull request using a simple PowerShell script within an Azure DevOps pipeline. This time, I’ll explain how to avoid using Personal Access Tokens for authentication and switch to a more secure alternative.

The issue with Personal Access Tokens is that they are bearer token, which means if they’re lost or accidentally leaked in logs, anyone with access to the token can use it to access your services. To address this problem, it’s better to use a specific Personal Access Token with the minimum required scopes. For instance, if you only need to reschedule Pull Requests checks, grant the token only pull request and build access. This limits the potential damage if the token falls into the wrong hands.

Azure Devops Api - Automatically Re-Queue Pull Request Checks

Tue, 07 Mar 2023 07:12:42 +0200

In previous post on this subject Reschedule PR Check with API I’ve demonstrated a simple PowerShell api script that can automatically re-queue all checks for Opened pull Requests where the check is expired. The problem is: you need to schedule this script to run.

Actually the easiest way to schedule running a script that uses API is using a standard pipeline. Give the ability to run whenever the target branch changes it is the best choice. Since develop is my usual target branch for Pull request I left a CI trigger for changes in develop branch as well as some scheduled run (to include other non usual target branches).

Azure Devops Api - Re-Queue Pull Request Checks

Tue, 21 Feb 2023 07:12:42 +0200

Pull Requests checks are a perfect gate to keep your code quality High. The easiest way to perform a check is to do something inside a standard pipeline and then use that pipeline in branch policies. This will allow you to prevent people to push on the main develop branch (main/master/develop) and be forced to do a pull request against that branch and wait for the checks to complete.

Remember that checks on a Pull Request actually runs on the result of the merge between source and target branch.

Azure DevOps: importance of stable tests in pull requests

Wed, 01 Feb 2023 07:00:42 +0000

Pull Requests are the heartbeat of a project, and it is probably one of the reason to move to Git if you still are in a different source control. Actually a Pull Requests introduce this enormous advantage in a team

You know when a feature/bugfix branch is ready to be inspected by the team
A single place of discussion
Automatic Merge and tests run on merge result
Etc.

Actually you have a lots of other advantages, but I want to concentrate the attention on test run. A good and healthy project contains Tests: Unit, Integration, Ui, etc, and usually after years running the entire suite is time consuming. This lead to an antipattern, where developers does not run all the tests before committing, but usually runs only a subset of tests, to verify new code.

Azure DevOps: pipeline permission to use an agent pool

Wed, 25 Jan 2023 07:00:42 +0000

Scenario: We created a new Agent Pool in Azure DevOps called “linux” and we added some docker based agents, and finally we add this new pool into the available pool for a couple of builds. To verify that agents can indeed run the builds we scheduled run onto this new pool but pipeline execution failed. The error is depicted in Figure 1

Pills: Conditional Pipeline decorators

Tue, 17 Jan 2023 00:12:42 +0200

Pipeline decorators are a really peculiar feature of Azure DevOps, because they allow you to specify a series of tasks that are run for EVERY pipeline in your organization, so they are rarely needed, but nevertheless they are a nice tool to know because there are situation when they are useful. Moreover, in latest Sprint 194 update they are expanded to support new functionalities, like running before or after specific tasks.

Develop locally with GitHub Codespaces and Hugo

Thu, 12 Jan 2023 08:00:00 +0200

I really love Using Hugo and Codespaces to write blog posts, I’ve a really better blogging experience than wordpress, because I have a simple blog, quick to load, no frills no fuzzes, just a simple blog. Using Codespaces is really nice experience and I really never wrote a blog post in my Windows machine until yesterday.

Yesterday I simply opened my blog repository inside a local instance of Visual Studio Code, but I had a nasty surprise when I tried to start hugo server.

Pills: Backup your Azure DevOps server

Sat, 31 Dec 2022 07:10:42 +0200

Some days ago I got a call from a friend at customer site that experiences some problems with Azure DevOps server. The symptoms are strange server starts to become unresponsive, it is not possible even to login with Remote Desktop, it seems that there is some memory problem.

Being unable to diagnose by telephone the problem I suggest them to disable search services, sometimes it can happen that elastic search services consumes too much ram, since I did not have any other data, I suggests rebooting the machine forcibly from virtualization system and immediately connect with remote destop and disable elastic search service then try to better diagnose the problem.

Azure DevOps: check typescript linting for a Pull Request

Fri, 30 Dec 2022 07:00:42 +0000

Pull Requests is the moment when new code undergo formal review to verify that it mets the basic quality requirement decided by the team. Most of the work can be done automatically, thanks to Azure DevcOps pipeline and various tools.

Some of the checks can be fully automated by special addin, like integration with SonarCloud so you basically does not need to do anything and you have some nice checks done to new code during PR. Sometimes you want to run custom code or checks, and it is really simple to do with few powershell lines and pipelines.

Pills: Azure Devops pipeline Counters

Wed, 21 Dec 2022 08:10:42 +0200

Sometimes you need to have a unique number in your pipeline, usually this is needed to generate a unique version number as an example for publishing NuGet packages and avoid conflict. If you use Git (and there is no need to not use it) you can use GitVersion to generate a unique semver version number that is unique for each build. But if you are not using Git and GitVersion, or if you need to rebuild the same commit and have a unique version for each run, regardless of the commit you can use a Counter.

Pills: Azure Devops pipeline demands

Mon, 19 Dec 2022 08:10:42 +0200

Situation: You are waiting a pipeline to run, you view at the agent pool queue and notice that some of the agents are in idle, they are not running any pipeline, yet you have run that are waiting in queue.

You can have basically two reasons: the first one is you reached maximum number of parallel pipeline that can run on the pool, the second one is that the pipeline has some demands that are not satisfied by idle agents. Troubleshooting demands can be annoying, but basically it is just matter of verifying the tasks that are present in the pipeline and check if all agents have required demands.

Azure DevOps Server: restart upgrade wizard

Fri, 16 Dec 2022 06:00:00 +0200

There are lots of reason why you have an on-premise installation of Azure DevOps, and if you manage it, you must devote some time to keep it upgraded to the latest version.

Keep your Azure DevOps server instance up to date constantly to avoid too big updates.

Upgrade procedures are really simple, you just launch the setup.exe from the latest version and follow the wizard. Actually not every person knows that the upgrade is basically a set of steps.

Azure Devops Api - Export Work Items

Sat, 26 Nov 2022 07:12:42 +0200

One of the most common scenario where Azure DevOps API shine is exporting data into some other db/file. There can be lots of legitimate reason why you want to export data: Custom Reporting, Custom Analysis, put everything into a file/database to perform offline query on your data outside Azure DevOps interface.

In previous parts we already saw how to connect to the server and how to check if credentials are ok; if we want to interact with the various part of the server you need to get an instance of appropriate client class. In sample code, once connection is estabilished, ConnectionManager class is used to obtain an instance of WorkItemTrackingHttpClient class, using GetClient() method of VssConnection.

Azure Devops Api - Detect if credentials are ok

Sat, 19 Nov 2022 07:12:42 +0200

In previous article of the series I’ve played with Azure DevOps api connection showing how you can use a .NET 4.8 full framework application that can login to Azure DevOps with a token or with an interactive login.

When you use interactive login, usually Windows operating system will retain credentials in credentials store, this will avoid asking for credential every time the application is run. The code that perform the check is really simple, it just check if _vssConnection.AuthorizedIdentity.DisplayName is not “anynymous”. This happens because the real credential check is done usually when you perform some real query, and not only the connection.

Quickly create a test instance of KeyCloak in Azure Services

Mon, 07 Nov 2022 21:00:37 +0200

Keycloak is a leader in the landscape of Identity Provider and if you need a quick instance for dev testing, you can spin an instance in Azure App Services in less than a minute.

First of all creates a new Azure App Services and choose to use Docker

Figure 1: Create a docker based app service.

Now you can simply choose the image you want to run, jboss/keycloak is perfectly ok for my scenario.

Azure Devops Api - Connection

Sat, 05 Nov 2022 07:12:42 +0200

Quite often people asks me how to interact programmatically with Azure DevOps server, main purpose is retrieving data for custom reporting but also interacting with Work Item store etc. Luckily enough, all Azure DevOps functionalities are exposed via API, so you can write small programs to automate mundane tasks and obtain what you need.

In this post I’ll show how to setup the project in .NET and how to connect to the server. The example can be found in GitHub.

Configure Data Protection API in .NET Core

Thu, 03 Nov 2022 16:00:30 +0200

Asp.NET core and .NET core comes with a nice interface to handle encryption, as documented here. Now my goal is configuring data protection api for multiple instance of a software, so we need to share keys in a shared location and at the same time keep them secret. Luckily enough .NET core already has everything we need.

The overall solution will need two parameter to our program, Folder where to store keys and a certificate thumbprint to protect the keys. In my scenario I want to use Self Signed Certificate, because I’m not using TLS or other form of server side encryption, I only need an extra layer of protection to allow reading keys only from machines that have my certificate installed. First of all I need some code to generate a Self Sign Certificate, to simplify installation I simply want IT guy to use swagger interface to generate a self signed certificate and then install in all the machine he/she needs.

Pills: Visual Studio lost access to authenticated Nuget feed

Mon, 26 Sep 2022 08:12:42 +0200

The symptom is simple, you have a solution that uses some authenticated Nuget feed, like those hosted on Azure DevOps, suddenly Visual Studio stops authenticating and get a 401 error, or simply does not show any version of packages.

This is a problem that happens to some person recently and today was my turn. I have a build that published another version of a package to a private Azure DevOps feed and after publishing a new version, I start searching for that new version Visual Studio “manage nuget packages” but have no result. The thing that makes you understand that you have a major problem is that VS does not list any version except the one installed

Pills: Git command line failed to authenticate against Azure DevOps

Sat, 27 Aug 2022 07:10:42 +0200

Sometimes it just happens, you issue some Git command and you found that Azure DevOps deny Authentication, and it does not prompt for new credentials, so you are just stuck not being able to access your account anymore.

Figure 1: Git authentication failure

As you can see in Figure 1, you got an Authenticaiton Failed error, and you are not prompted for new credentials. Azure DevOps uses Personal Access Token to give access to Git, and this is done with an automatic procedure triggered by command line. In Figure 2 you can see Credential Manager Windows that appears the first time you are connecting to an Azure DevOps server.

Pills: Azure Devops artifacts retention policy

Mon, 08 Aug 2022 08:10:42 +0200

When you use extensively Azure DevOps feeds, you will end with lots of small project that automatically publish packages at each build. I have projects where each commit will publish a package thanks to GitVersion that generates a unique number for each build. This will end in a situation where thousands of packages are generated and uploaded to Azure DevOps.

In Feed settings page you have a retention policy that will automatically deletes old packages but keep those ones that are recently used, to avoid removing a package that is still in use.

Accessing Office 365 with IMAP and OAuth2

Mon, 01 Aug 2022 10:13:30 +0200

The situation

I’ve had the need to upgrade some code that uses IMAP folder to download email, and it uses sometimes Office365 accounts, but Microsoft will remove in the future basic auth as described here in favor of OAuth2 based authentication. This is a good move because Basic Auth is not really secure, and with modern authentication and OAuth2 you can force two factor auth and other more secure login alternative.

Azure DevOps: Conditional variable value in pipeline

Tue, 21 Jun 2022 08:00:42 +0000

Let’s examine a simple situation, in Azure DevOps you do not have a way to change pipeline priority, thus, if you need to have an agent always ready for high-priority builds, you can resort using more agent Pools. Basically you have N license for pipeline, so you can create N-1 agents in the default Pool and create another pool, lets call it Fast, where you have an agent installed in a High Performance machine. When you need to have a pipeline run that has high priority you can schedule to run in Fast Pool and the game is done.

Azure DevOps: complete Pull Requests via web interface

Tue, 31 May 2022 06:00:00 +0200

Pull Requests are the Heart Beat of your code, you have a request/bugfix/feature in a form of work item, the team start a branch, write code, then when the code is finished a Pull Request is opened to ask the team for review before the code is merged into the stable branch and goes to production. When you deploy regularly your product in an automatic way, you need to minimize the risk that new code can break existing one and having other members of the team to review the code increment, is an invaluable feature. Also Pull Requests can include discussion about code increment, so you can examine that discussions in the future when you wonder why a piece of code was written in that specific way, and why.

Tutorial: Programming Playstation 2

Wed, 25 May 2022 05:00:00 +0000

Looking in old backup and old disk can be a dive in the past, you found old stuff like articles tutorial and yesterday I stumbled on my old tutorial on Playstation 2. There were a time when I was really interested in Computer Graphics, and I had a Playstation 2 Linux kit that a dear friend of mine gave me. The kit was really interesting because it allows you to play with a nice and pretty architecture for the time. The kit was somewhat limited but thanks to the community you have some kernel libraries that allows you to have a direct access to DMA and to all units in the PS2.

Case insensitive key dictionaries and MongoDb C# serializers

Wed, 18 May 2022 08:00:00 +0200

First of all, every C# programmer should know that Dictionary<Tkey, Tvalue> class (as well as other collections) have a special constructor that can be used to specify the serializer used to compare keys in the dictionary. The most obvious situation is where you have a string key and you want the dictionary to be case insensitive during key search.

1
2


 public SortedDictionary<string, StringProperty> StringProperties { get; private set; } 
 = new SortedDictionary<string, StringProperty>(StringComparer.OrdinalIgnoreCase);

The above code is inside a class where I need to keep a dictionary of StringProperty class, using a Sorted dictionary where the key must be case insensitive. This allows me to write code like this

Developers and TLS what could possibly go wrong

Sat, 30 Apr 2022 08:13:30 +0200

The problem of not using TLS in developer machines

Lots of time ago, at the time Windows Communication Foundation was a thing, there were good automatic protections by Microsoft that prevent passing credentials in clear text over an unencrypted (non TLS) channel. I was amazed by the number of solution you can find in the internet that to solve the problem suggests to developer to create an unsecure channel that does not perform this check, allowing for clear text credential to be sent in a standard HTTP channel.

How to handle certificate error in dotnet WebClient object

Fri, 18 Mar 2022 08:14:37 +0200

The situation

This is a simple scenario: I use a WebClient object in .NET to perform some web request to a target web site, everything went good except when the code runs in Xamarin Android, where it throws an exception in https connection. This is usually a puzzling moment, because I’m simply doing an HTTP GET request of a page, everything works outside Xamarin where all I got in response is an error telling me that the certificate is not ok.

Elasticsearch and weird unicode char

Sat, 26 Feb 2022 06:00:00 +0200

Scenario: you have a software where you have a standard search made in UI for data in a board, then you need to move the search server side (due to the increasing number of object in the board), so you switch to ElasticSearch to have nice full text functionalities. Then you have an exact request: Does ElasticSearch supports searching with Unicode chars? The answer is yes, but then you find that users complains about not being able to search with Unicode chars.

Clone a simple dashboard with API in Azure DevOps

Fri, 11 Feb 2022 07:12:42 +0200

If you work in Scrum, being able to visualize data on current and past Sprints is an invaluable way to keep track on team improvement. Azure DevOps allows you to create Dashboards to visualize interesting metrics, but actually you do not have a way to create Dynamic Dashboards, I.E. a Dashboard that allows you to specify a parametric query so you can, for example, change the iteration and view how the data changes.

Symbol server made easy with Azure DevOps

Sat, 05 Feb 2022 08:13:30 +0000

I’ve blogged in the past about symbol server, to recap here is the scenario.

In your organization you have some sort of common .NET code that is shared between projects, but you have to face and resolve some problems.

How to compile dlls
How to distribute dlls
How to make debugging easier for the user of the dll.

We have clearly some standard solution for all the parts.

Compiling dll

You MUST compile dll in a build server.

GitHub issue templates

Sat, 22 Jan 2022 08:00:00 +0200

After Microsoft acquisition of GitHub there is some bit of confusion on what to use: Azure DevOps or GitHub for your new projects? Actually the answer is somewhat complex, but the most honest response is to use whatever of the two you find more adherent on how you work.

The most different part is the issue/board part, because they are very different on the two products, with very different capabilities and very different basic concepts. While Azure DevOps enforce a complex tracking with explicit WorkItem types and custom fields, GitHub does use a flat approach to the problem using only Issues with labels and few fields.

GitHub actions templates

Fri, 07 Jan 2022 08:00:00 +0200

GitHub Actions are closing the gap with Azure DevOps pipelines day by day, one of the features introduces months ago was Action templates, the ability to re-use actions definitions between repositories. You can read all the detail in Official GitHub documentation.

Templates are really useful because usually, in one organization, you tend to use a restricted set of technologies with the very same set of actions to perform to build and release the code. You already know that I’m a fan of build in PowerShell or other scripting engine, but for simple project, you can simply rely on GitHub actions without resorting to any scripting language.

Azure DevOps: run test in PowerShell and publish results

Sat, 01 Jan 2022 07:00:42 +0000

Creating full build in PowerShell has lots of advantages because you can simply launch the script and having the build run in any environment. This simplifies tremendously debugging build scripts and moving Continuous Integration from one engine to other (Ex from Azure DevOps to GitHub actions).

Clearly you need to thing in advance how to integrate with your current CI engine because usually you will need to communicate information to the engine.

GitHub Security enforcer action

Fri, 10 Dec 2021 08:00:00 +0200

GitHub takes security seriously and gives you some nice capabilities to improve security of your code through all its lifecycle. GitHub actions can be used to automatically run a security code analysis in your repositories, a task that should be run for all of your repositories in your organization.

Security scanning should be enabled on all repositories

Some days ago in a GitHub blog post a new action was announced called Advanced-Security-Enforcer that is aimed to automate the task of adding GitHub Workflow to perform code analysis.

GitHub Actions permission settings

Sat, 27 Nov 2021 06:00:00 +0000

Continuous integration is absolutely vital for a healthy software project, but in many situation people gave little attention to security. If you are running CI workflows in your machine where you control the code that is build and every script that is run by CI engine, you are pretty fine. In that scenario an attacker should take control of your code to run some malicious script during a CI run, but if you are using a third party task/extension/action, the situation is different.

TryHackMe Writeup: Daily Bugle

Sat, 20 Nov 2021 08:13:30 +0200

Security is one of my side passion on computer engineering, and if you also like security, Try Hack Me is a nice place to keep under your radar. This morning I had some fun with Daily Bugle machine so I decided to publish my raw writeup.

Scan the machine

A standard NMap reveals ssh and port 80 opened hosting a nice joomla web site. If you do not want to be especially stealthy, you can let nmap test for vulnerability with standard script, nothing special.

Pills: Pipeline decorators

Sat, 20 Nov 2021 08:12:42 +0200

IIS cache management for static files

Tue, 16 Nov 2021 20:13:30 +0000

We have an application with ASP.NET web api plus an angular frontend and we use a client library for translation that is based on plain json files hosted on the server. We have a problem with new releases, because some clients are needed to force cache clear in the browser to see the new translated terms, basically it seems that the browser is using older files and not the new ones.

Azure DevOps Pills: Pull request template

Sun, 14 Nov 2021 08:12:42 +0200

Azure DevOps is a really big product and sometimes there are really useful features that are poorly publicized and goes under the radar. One of these is Pull Request Templates, a really useful feature that allows you to specify markdown template for your pull requests.

I do not want to go into technical details, you can find all instructions in official documentation but I’d like to point out why this feature is so useful.

Azure DevOps: Azure File copy troubleshooting

Wed, 20 Oct 2021 07:00:42 +0000

If you need to copy files in a Azure Blob or in an Azure Virtual machine within a Azure DevOps pipeline, Azure File Copy Task is the right task to use, but sometimes you could find some problem that make it fails. In this post I’ll state some common errors I found using it and how to solve.

Wrong number of arguments, please refer to the help page on usage of this command

If you specify additional command to the task you can have this error, actually I was not able to fully troubleshooting the reason, but I discovered that version 4 of the task is somewhat erratic, so it is really better using version 3 that seems to me really more stable.

Determine version with GitVersion for a Python project

Sat, 04 Sep 2021 08:00:00 +0200

Project used for this example can be found in GitHub.

In GitHub actions you can use .NET based tools, both in Windows and in Linux machines, to accomplish various tasks. I’m a great fan of GitVersion tool, used to determine a semantic versioning based on a Git repository that uses git-flow structure. Another nice aspect is that GitHub action machines based on Linux comes with PowerShell core preinstalled, so I can use actions that comes from PowerShell gallery without any problems … errr.. almost.

Analyze Python project with SonarCloud and GitHub

Sat, 28 Aug 2021 08:00:00 +0200

SonarCloud is free for Open Source projects, and for languages like Python, that does not need compilation, it can directly analyze the repository without any intervention from the author. This feature is automatically enabled when you setup your Project in SonarCloud and it determines that you have not compiled language.

Figure 1: Analysis configuration shows that in this project we have CI analysis

Configure Codespaces for Python projects

Thu, 26 Aug 2021 08:00:00 +0200

One of the great advantage of Codespaces is the ability to preconfigure the environment so you do not need to waste time installing and configuring your toolchain. Python is a perfect example of this scenario, I’ve a small project to generate Git Graph Representation and since I’m not a full time Python developer, I’ve not it installed and perfectly configured in all of my environment. Also I primarily work on Windows, so Codespaces allows me to test everything on Linux with a single click.

Generate Git graph with Gitgraph.js and Python

Tue, 24 Aug 2021 08:00:00 +0200

GitGraph is a nice library to create a graphic representation of Git log and the really nice aspect is that it is widely used and produces picture that are easily recognized as Git History. It can basically work in many ways, but the easiest is importing commit as json in an HTML page.

Thanks to very few lines of Python code I realized a simple POC that is able to use git log to extract log as json then create an html page with extracted json that renders a simple png with the full history. You can find the project in Github and it is really simple to use (just read the readme).

Configure Codespaces for a real project

Fri, 20 Aug 2021 08:00:00 +0200

In previous post I explored the many advantages I’ve found using GitHub codespaces to author blog posts directly in a browser. That example was surely too simple, after all a hugo blog is just markdown, but nevertheless Codespaces allows me to configure my environment with great easy.

You can follow the guide on the official link but here is a quick summary on how I configured my codespaces for my blog. First of all you can directly add a configuration file inside codespace

Use GitHub codespaces to author blog post

Thu, 19 Aug 2021 08:00:00 +0200

The scenario

I played a little bit with GitHub Codespaces when it was in preview, now it is time to try to use it real activities to understand scenarios where it can be useful.

To have a real test you need to setup a goal to verify if the tool is capable of reaching that goal, and if it is an advantage over existing tool. My first goal is being able to write Blog Post in hugo with GitHub Codespaces and being able to determine if it is more productive than running a standalone local version of Visual Studio code.

Choose environment from branch in GitHub action

Wed, 18 Aug 2021 08:00:00 +0200

I have a friend that asked me how to choose an enviroment in a GitHub action based on the branch that triggered the action. Usually Environments are used in a sort of Promotion mechanism, where you start deploying on Test, then you have a manual or automatic approval to deploy on staging and finally to production. Even if this is a textbook scenario sometimes you need to create a simple sequence of steps to deploy your software in an environment and you want to choose environment based on branch. If you deploy master you deploy on production, if you deploy develop you deploy test.

Fine control of compression level in 7zip

Tue, 10 Aug 2021 20:00:00 +0200

Even if 7zip is not a real DevOps argument, it is really interesting in the context of a build pipeline and artifacts publishing. AzureDevops Pipeilne and GitHub actions have dedicated actions to upload artifacts to the result of the pipeline/action but I often do not like this approach. Even if you can download everything as a zip, I like to create different archives before uploading, for at least two reasons

Passing boolean parameters to PowerShell scripts in Azure DevOps Pipeline

Sun, 08 Aug 2021 20:00:00 +0200

Let’s start from the problem, I have an Azure DevOps pipeline that calls a PowerShell script and the team needs to change the pipeline allowing a boolean parameter to be passed to the PowerShell script when you queue the pipeline. The first tentative produces this error:

1
2
3
4


C:\a\_work\56\s\build.dotnet.ps1 : 
Cannot process argument transformation on parameter 'forceInstallPackage'. Cannot 
convert value "System.String" to type "System.Boolean". 
Boolean parameters accept only Boolean values and numbers, 

The original code of the pipeline is the following one.

GitHub security scan - an example

Sat, 17 Jul 2021 15:10:00 +0200

I’ve already blogged on the security scanning capability offered by GitHub and in this post I want to give you another example on a possible output. In previous example I’ve shown a result that is quite simple the library identified a usage of ECB in AES encryption and flagged it as a wrong usage of crypto api. It is interesting but less impressive, after all it simply spotted the usage of an enum value related to a vulnerable CypherMode, something that it easy to spot.

Playing with Cryptography, Part 1

Sat, 17 Jul 2021 09:13:30 +0200

Cryptography is a fascinating subject, surely complex, but as a developer you probably have some predefined libraries in your language/environment of choice that you can use. DotNet is not an exception, so I’ve decided to create a sample repository to play a little bit with all cryptography primitives to show how easy is to use them https://github.com/alkampfergit/DotNetCoreCryptography.

This is not a tutorial, it is more a repository where I played with API to gain more confidence with .Net Core version of the API. The purpose is also to understand if you can wrap Crypto API to make them simple to use for a developer, avoiding people to use them in different ways across a same software and to make them simpler to use.

Code coverage in SonarCloud and GitHub Actions

Thu, 08 Jul 2021 19:00:00 +0200

First of all I want to thank my friend Giulio Vian for pointing me in the right direction and for its great work in TfsAggregator Action.

My problem was: I used the wizard in GitHub to create a GitHub Action definition to analyze code in SonarCloud, everything runs just fine except I was not able to have Code Coverage nor unit tests result in my analysis. With Azure DevOps actions and .NET Full Framework project there is no problem but with GH and standard Actions no result see, seems to be uploaded.

How to create a list of non upgradable software for winget

Sun, 27 Jun 2021 08:00:00 +0200

Edit: I’ve stored gist of the script here

Winget is finally here and we can, at least, using a package manager on windows to simplify application management. Everything is good, except that some packages are not ready to be upgraded. As an example in my system I have python 2.7 and 3.x, winget always try to upgrade 3.x version at each run and messed up my installation. At the end of the Nth upgrade of python my Visual Studio code was not able anymore to debug and run python.

How to resolve hostname in a WSL instance with internal IP

Thu, 03 Jun 2021 18:40:00 +0200

Edit: actually I missed that I can add mshome.net to host name to correctly identify the ip of the host computer, like suggested here

In a WSL2 instance you are running inside a Virtual Environment managed by your Windows Operating system, and the greatest advantage is the ability to work with a unified filesystem and being able to have a great communication between the two system. This is perfect but I have a small problem, if I want to use the WSL2 instance to test some software I’m developing I’d like to access services running on my host operating system.

Winget is finally a thing

Fri, 28 May 2021 10:00:00 +0200

After a really loooooong time, finally Windows has its own Package Manager called Windows Package Manager 1.0. It was firstly announced last year at build, but with 2021 build conference it was announced that it is now in version 1.0. I do not want to do a full coverage of all the features, but simply share why this is a thing.

Linux users had package managers from almost the beginning, this imply that to install all of your favorite tools, you can simply use command line to install everything. Windows was an Operating System that was not born with Command Line in mind and this reflects negatively on the experience of “new machine configuration”.

Keep MongoDb logfile size at bay

Thu, 27 May 2021 20:00:00 +0200

MongoDb is a great option for NoSql but sometimes it is installed in production forgetting some basic maintenance tasks, like managing log files. You should remember that MongoDb does not automatically rotate log files as for official documentation.

This lead to logfiles of Gigabyte size and sometimes they can even be a space problem in your installation. If a logfile is gone out of control, you cannot delete because it is in use by mongod process, so you need to ask for a manual rotate. Just connect to mongodb instance and from mongo.exe command line or any other tool you use issue this command.

Azure DevOps: Use specific version of java in a pipeline

Mon, 26 Apr 2021 17:00:42 +0000

I have lots of pipelines with SonarCloud analysis, and in the last months I’ve started receiving warning for an old version of Java used in pipeline. SonarCloud task scanner is gentle enough to warn you for months before dropping the support, nevertheless there is always the possibility that you forgot to update some agents so some pipeline starts failing with error

The version of Java (1.8.xxx) you have used to run this analysis is deprecated and we stopped accepting it.

Return value in PowerShell, a typical error

Sat, 17 Apr 2021 08:00:00 +0200

When you create a function in PowerShell you need to remember that if you write output, this will be included in the returned value. This means that if you end your function with return $something you would not get only the content of the variable $something but every output that you did in the function.

For this reason you need to be super careful not to use Write-Output, because all the output will be included in the returned value.

Continuous integration: PowerShell way

Sat, 17 Apr 2021 07:12:42 +0200

I’m a great fan of Azure DevOps pipelines, I use them extensively, but I also a fan of simple building strategies, not relying on some specific build engine.

For Continuous Integration, being too much dependent on a specific technology could be limiting.

I’ve started CI with many years ago with CC.NET and explored various engines, from MsBuild to Nant then Psake, cake etc. I’ve also used various CI tools, from TFS to AzureDevOps to TeamCity and others. My overall reaction to those tools was usually good, but I always feel wrong to be bound to some specific technology. What about a customer using something I do not know like Travis CI? Also, when you need to do CI at customer sites, it is hard to force a particular technology. It is too easy to tell to a customer: just use X because it is the best, when the reality is that your knowledge of X is really good so it is your first choice.

Hello terraform

Sat, 03 Apr 2021 07:00:18 +0200

I’m studying Terraform Up and Running book, a really good book but all the examples are for AWS. I have nothing against AWS, but I’m familiar with Azure, so I’d like to start porting some of the example of the book for Azure. While I’m not sure if I’ll keep up with the conversion, if you are curious I’ve started the work in this repository, feel free to post any correction (remember that I’m learning Terraform, I’m not an expert :))

Avoid IIS to bind to every IP Address port and other amenities

Sat, 20 Mar 2021 10:00:00 +0200

Let’s suppose you have a Microservices based solution, you have many different processes and each process communicates with standard WebAPI. The usual developer solution is using a different port for each different program, this lead to http://localhost:12345, http://localhost:12346 and so on. This is far from being optimal, because in production, probably, each service could potentially be exposed with a different hostname, something like https://auth.mysoftware.com, https://orders.mysoftware.com and so on. Another problem is that, in production, everything must be exposed with https and too many times developer are not testing with TLS enabled.

CodeQL Scanning in GitHub

Sun, 14 Mar 2021 08:00:00 +0200

As you can read directly from GitHub blog post GitHub code scanning is now available and ready to use for your repositories.

I’ve blogged in the past about code security scanning in GitHub but in that post I didn’t show what happens when analysis engine found some possible security problem in your code. When something is not ok, you can go on your Security GitHub tab to look for alerts.

Figure 1: CodeQL alert results in your repository

Sonar Cloud analysis in GitHub

Sat, 13 Mar 2021 08:00:00 +0200

Well, you know me, I like to have my code analyzed by SonarCloud when possible, and since it is free for open source, I always use Azure DevOps pipeline to automatically analyze code on each push. Now that GitHub actions are available, a good solution is to simply use GitHub actions to analyze code, without disturbing Azure DevOps.

Azure DevOps pipelines are, in my opinion, more mature than GitHub actions, but for small tasks, it is simpler to go with Actions.

Quick ftp upload of multiple files

Sat, 06 Feb 2021 08:00:00 +0200

After conversion of all of my blog posts, I have more than 1000 page to upload, and even if I left old image in original location my publish time increased a lot as you can see from Figure 1.

Figure 1: Upload time is becoming unbearable

I’ve scheduled automatic publish with GitHub Actions, but using a standard ftp action I’ve found in the marketplace, my build time increased from 5 minutes to more than one hour. Clearly this is annoying, not because I need to wait 1 hour before new post will appears in the site, but because I need to wait 1 hour to understand if something went wrong.

Moving old posts from WordPress to Hugo

Wed, 03 Feb 2021 19:00:00 +0200

It was almost one year from my switch from WordPress to Hugo and I’m really really satisfied from the result. After some months the only thing that bother me is the fact that I still need to maintain an instance of WordPress just to keep old posts. The only thing that prevented me to migrate was the loss of comments, but actually, after looking to all of my old blog posts, I’ve not such a big amount of comments that worth migrating, the only thing that is important to me is the ability to keep my old post without comments so I can get rid of WordPress. I’m sorry for all of you that spent time commenting on my blog, but migrating the comments would be a huge work.

Execute jobs depending on changed files on commit

Fri, 15 Jan 2021 17:50:42 +0000

Configuring a build to build each commit to constantly verify quality of code is usually a good idea, but sooner or after, in big solutions, you start filling pipeline queue. The main problem is that, when the team grows, the number of commits for each day of work increase and you start having problem in build queue. If build queue is more than one hour long, it is still acceptable, but if the queue is even more, it become clear that you should find a solution.

Security Onion 2020 - The hunt

Sun, 03 Jan 2021 10:13:30 +0200

I’ve done another couple of videos about Security Onion focusing on how I can use The hunt to look for anomalies in network traffic. As for the previous video I give a disclaimer: I’m not a Security Onion expert, and those video are meant to keep track of my progress and to help others to familiarize with the tool.

In first video I start from an alert from Strelka and then proceed to identify possible compromised machine in the network as well as finding external malicious IPs.

Kali Linux in Hyper-V system

Wed, 30 Dec 2020 10:00:37 +0200

Kali Linux on Windows

Most of the time a Kali Linux instance running in WSL is more than enough to have some fun in a Windows box. Using WSL is really simple but I have a couple of annoying problems that make my experience uncomfortable.

UI experience is sluggish, and annoying
I have very little control over networking.

Point 2 is the major pain point in my situation, I usually buy some inexpensive Intel i350 T2 cards on Ebay, to allow me to have at least three Network Card on my workstation. If you wonder why I like three NICs here is my typical usage pattern.

Authenticate to Azure DevOps private Nuget Feed

Tue, 29 Dec 2020 10:00:00 +0200

When you build a project that depends on Azure DevOps hosted nuget feed, usually if the feed is on the same organization of the pipeline and you are using Nuget task, everything regarding authentication happens automatically. A really different situation arise if you are using Nuget directly from Command Line or PowerShell script. A typical situation is: everything seems to work perfectly in your machine but during pipeline run you receive 401 (unauthenticated) error or the build hangs with a message like this:

Azure DevOps: Execute GitHub code analysis in a pipeline

Mon, 28 Dec 2020 08:50:42 +0000

Ok, I know that many of you are questioning: Why using Azure DevOps to analyze code with CodeQL? Using GitHub actions is the preferred way to do so why bother with running in another CI? The scenario is simple, a company has everything on Azure DevOps, it wants to retain everything there but it want to be able to gain advantage from GitHub CodeQL analysis. This scenario is not so uncommon, and you have a nice GitHub guide on how to run CodeQL code scanning in your CI System.

Azure DevOps: Convert your classic pipeline in YAML

Tue, 22 Dec 2020 18:50:42 +0000

When I teach to customer Azure DevOps pipeline, I always suggest them to avoid the classic editor and direct learn the tool using yaml pipeline; while we can agree that classic GUI based editor is simpler, it also miss many of the advantages of YAML and have limited use.

Yaml based pipeline have a lot of advantages, first of all they are included in the code (I really love have everything in my repository), you can simple copy and paste in new projects, templates are really powerful and also your pipeline definition follow your branches.

Security onion in Hyper-V

Sat, 05 Dec 2020 11:14:37 +0200

If you want to setup a real lab to test Network Security Monitor solution, like Security Onion probably you will start with some virtual machine where to install everything. While we can agree that VmWare is probably the best solution (I have a test ESXi node) Hyper-V can be a viable solution, but you need to be aware of some glitches.

Most of the information I’ve found in internet are outdated and probably not valid for Windows Server 2019, as you can see in Figure 2. Hope this post can save time to others that have my same problem.

Azure DevOps Pills: View progress in backlog

Sun, 29 Nov 2020 08:12:42 +0200

If you start managing your backlog with Azure Boards, you probably will end having Epics->Features->User stories breakdown and as manager you have a usual question to answer where are we on this epics or feature and when you expect it to be finished.

While this is not a simple question to answer looking only at the tool, you need to know that Azure Boards can give you a quick help visualizing completed work in a dedicated column.

How to handle errors in PowerShell script used in Azure DevOps pipeline

Sun, 15 Nov 2020 08:00:00 +0200

Building with PowerShell or other scripting engine is a really nice option because you can reuse the script in almost any Continuous Integration engine with a minimal effort, but sometimes there are tools that causes some headache.

I had problem with tooling like yarn and npm when they are run in Azure DevOps pipeline, the problem is that when the tool emit a warning, pipeline engine consider it an error and make the build fails. This happens usually because it is common to run PowerShell scripts in Azure DevOps pipeline with the option failOnStdErr to true

Pills: Invoke-WebRequest really Slow

Tue, 03 Nov 2020 22:12:42 +0200

There are times when using Invoke-WebRequest in PowerShell is really slow, especially compared to a direct download in a browser. The answer is as always on StackOverflow in this post but for some reason approved answer is not my favorite.

Approved solution uses WebClient, it is perfectly valid, but other answer are more correct (and have more votes). In my opinion the real solution is disabling progress.

$ProgressPreference = 'SilentlyContinue'

This usually is enough to speedup Invoke-WebRequest without changing every single call to use WebClient.

Azure DevOps Pills: PowerShell in pipeline with Linux agents

Sun, 01 Nov 2020 13:12:42 +0200

This is a really basic fact, but it is often underestimated. PowerShell core is now available on Linux and this means that you can use PowerShell for your Azure DevOps pipeline even if the pipeline will be executed on Linux machine. If I have this task in a pipeline

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


steps:
 - task: PowerShell@2
 displayName: Simple task
 inputs:
 targetType: inline
 script: |
 Write-Host "Simple task for simple stage pipeline"
 Write-Host "Value for variable Configuration is $(configuration) value for parameterA is ${{ parameters.ParameterA }}"
 Write-Host "Change Variable value configuration to 'debug'"
 Write-Host "##vso[task.setvariable variable=configuration]debug"

I can schedule the pipeline on a Linux hosted agent, and everything runs smoothly.

Automatic publish PowerShell Gallery with GitHub Actions

Mon, 26 Oct 2020 18:00:00 +0200

Publishing PowerShell helper functions to PowerShell gallery is a good solution to maximize reuse on Build and general Scripting for DevOps mundane tasks. On this GitHub repository I’ve put some simple build utilities that can be published on PowerShell gallery.

To streamline the process I’ve decided to automate publish process with GitHub actions, because this is the typical scenario where GH Actions shine. First of all I’ve reorganized my sources to create a single PowerShell file for each function, then I’ve found this excellent post that explain how to combine all files into a unique file to maximize performances.

Azure DevOps pills: Avoid triggering pipelines continuous integration with commit message

Sat, 24 Oct 2020 10:00:42 +0200

There are situation when you need to push frequently on a Git repository, a typical example is when you are authoring a yaml pipeline and you are experimenting stuff; in such a situation you modify the pipeline, push, test and go on. It is quite common to push really frequently and this usually saturate standard pipelines.

It is not uncommon to have a standard pipeline of build and test running for each commit and for each branch. In such a situation if you push too often you risk to saturate all of your build agents.

Speedup WSUS in your AD (Part 2)

Sat, 17 Oct 2020 08:00:00 +0200

After I did some maintenance on my WSUS with some tricks I still had problem, after hours of cleanup, PowerShell script stopped working and constantly gave me a timeout.

Figure 1: WSUS was unable to perform cleanup

I did not had time to investigate the issue, but I got saved in my disk a small notes I’ve found somewhere that suggested how to cleanup manually directly with SQL.

Speedup WSUS in your AD

Sun, 11 Oct 2020 16:00:00 +0200

I have a very old HP Proliant Microserver, it has 16 GB of RAM and an SSD, but it is really old, it is powered by a really old Turion CPU and WSUS is starting to becoming unresponsive. That machine act as a test domain controller for a bunch of test virtual machines, WSUS always was a little bit slow, but it worked, until few days ago, when it constantly fails to load data.

Pip and Python in Visual Studio Code

Sat, 10 Oct 2020 08:00:00 +0200

I’m not a Python expert, but I used it more often these days and I use Visual Studio Code with Python extension to author my scripts. One of the most annoying problem is receiving a no module named xxx error when you already installed that module with pip.

Figure 1: No module error when running Python code in Visual Studio Code

Code scanning in GitHub

Sat, 03 Oct 2020 08:00:00 +0200

As you can read directly from GitHub blog post GitHub code scanning is now available and ready to use for your repositories.

To enable code scanning you can just go to the security tab of your repository and choose to enable code scanning.

Figure 1: Enable code scanning

You are presented with a list of Code Scanning tools at your disposal, clearly the first is CodeQL and it is automatically offered to you by GitHub, then you can find other tool available in the marketplace

Azure DevOps Pills: Update java in agent machines if you use SonarCloud integration

Sat, 12 Sep 2020 12:12:42 +0200

If you have Azure DevOps pipelines that uses SonarCloud analyzer, you should update java version for your agents if you are using version 8 because support is going to drop.

Figure 1: Warning message for old java version installed

You have not many days left to solve this issue before your builds starts failing because Sonar Cloud analyzer will no longer work. The solution is simple, you can simply download an updated version of Open JDK in all agent machines. To check actual java version used you can simply check the JAVA_HOME capability directly in agent administration page.

Use multiple techniques to protect your data

Sat, 12 Sep 2020 08:00:00 +0200

The problem

Several years ago I had a friend called me for a problem with MongoDb, it turns out that someone, from an IP geolocated in China, accessed the instances during the night and wiped out everything.

The problem was due to some misconfiguration or human error or whatever that:

turned off Windows firewall and port 27017 was open to the internet
MongoDb was installed with no password.
MongoDb was bound to all ip addresses of the machine

When it is time to protect your data, you should add as many layers / techniques of protection as you can, this because, if one if them is failing, another one can still offer protection.

GitHub Codespaces first impression

Sun, 06 Sep 2020 08:00:00 +0200

What is GitHub codespaces

Visual Studio Code is becoming one of the most used and productive editors in all operating system and it is used by most developers. During these years Visual Studio Code introduced lots of interesting features, like the ability to connect to Linux or Docker Container and develop inside that container. This means that your machine can run Windows / Linux / MacOS or whatever, but you can connect to a Linux machine or Linux Docker instance and develop inside that container

Docker-compose to speed up setup dev environment

Sat, 22 Aug 2020 08:00:00 +0200

Even if you do not plan to use Docker to distribute your application you can use it to speedup setup of development environment, for new developers and for new machines. I have a project where we use MongoDb and ElasticSearch, mongodb should be authenticated and ElasticSearch needs to have some special plugin installed.

Time to setup a new machine sometimes is high due to dependencies.

I’m aware that for experienced user setting up mongodb and ElasticSearch is not a complex task, but nevertheless you usually can have some problem.

Azure DevOps Pills: Integration with SonarCloud

Thu, 20 Aug 2020 08:12:42 +0200

I’ve dealt in the past on how to integrate SonarCloud analysis in a TFS/AzDo pipeline but today it is time to update that post with some interesting nice capabilities.

If you look in Figure 1 you can see that now SonarCloud has a direct integration with Azure DevOps pull requests, all you need to do is add a Personal Access Token with code access privilege and you are ready to go.

Azure DevOps Pills: Process rules for state transition

Wed, 19 Aug 2020 08:12:42 +0200

One of the most requested feature for Azure DevOps is the ability to restrict state transition for custom processes. Whenever a company starts creating its own process, Work Item States is always a big area of discussions. Which state we need? Who can change state from X to Y? Until few weeks ago, only if you have Azure DevOps server with old process model based on XML you can restrict transition between states. Now this feature is available even for cloud version.

How to fix 'No matching creator found' mongodb error after upgrade

Sat, 15 Aug 2020 08:00:00 +0200

Even if Release changes seems to have no breaking changes in MongodDb Driver latest upgrade, it is possible that your code could be affected by a change in the driver and you starts having strange exception with code that works perfectly with an older version of the driver.

I’ve a big project where after updating from 2.7.3 driver to 2.11.0 MongoDb driver I’ve started having all sort of weird errors that disappear restoring 2.7.3 of the driver.

Double T shaped professional

Mon, 10 Aug 2020 18:40:00 +0200

The term T-Shaped Professional or T-Shaped Skills is widely used to identify a person that has a good deep knowledge in a specific area and a broad knowledge on other areas.

This kind of professional is perfect to fit into DevOps culture, because it can collaborate better with others in the team. As an example, a front-end Developer usually has the leg of his T in web technologies (angular, Typescript, HTML, etc.) but he should also have a little bit of knowledge on backend development, networking and others. The same happens for other roles in the team, a Network Engineer has a deep knowledge of network infrastructure, but he/she should have some knowledge on Database, Development and web framework to communicate better with others.

Set ip of WSL2 machine in host file

Sat, 01 Aug 2020 08:00:00 +0200

I have a WSL2 ubuntu installation where I have SAMBA installed and I really need it to answer to a specific name, something like \ubuntuwsl.

In WSL2 the machine got its IP assigned from Hyper-V so it is dynamic and change at each reboot

To solve this problem it is interesting to look on how you can interact to your WSL2 distribution from PowerShell, this exercise will show you how powerful WSL2 is. First of all you can execute shell command directly from PowerShell. As an example this is how I can start SAMBA daemon directly from PowersShell

How to locate most recent MSBuild.exe using PowerShell

Sun, 26 Jul 2020 08:00:00 +0200

If you want to build a Full Framework based project from PowerShell, you need to locate MsBuild.exe tool tool to compile your project. You can indeed “open developer command prompt” to have a CommandLine with all needed tools in the %PATH%, but if you want to create a generic PowerShell script that uses MsBuild, knowing its location is probably a must.

There are some solutions in the internet, but I’ve found a nice module called VSSetup that can helps locating MsBuild because it gives you interesting information for every version of Visual Studio installed in the system (from VS2017 and subsequent versions).

Some fix for Word Exporter

Wed, 22 Jul 2020 17:00:00 +0200

This is another post in the series “how to export Work Item data to Word Document”.

Complete code for project can be found in GitHub - https://github.com/alkampfergit/AzureDevopsWordPlayground

Post in the series:

Exporter project was updated a little bit in past months, I had no time for blogging about it but probably it is the time to give further information on how to export all of your Work Items to a Word File.

Error 0x8004212 during Bare Metal Recovery

Fri, 17 Jul 2020 17:56:00 +0200

I got an old HP Proliant Microserver Gen7, it has Turion CPU, quite slow in these days, but I got 16GB RAM and 6 TB of caviar Red. The overall performances are acceptable, it is a domain controller for a test domain, it is used as NAS and Windows Update services.

Last week primary disk died, it starts with an annoying Tick Tick noise, then it is dead, so I bough a SAMSUNG 860 500GB SSD to replace the drive. I already used Bare Metal Restore 2 times in that machine, because I changed to an SSD in the past then back to a standard Disk, so I was pretty sure that the backup procedure is good. But when I substituted the disk, booted Windows Server from USB and choose to restore the disk I got this nasty error.

Danger of public IPs

Thu, 16 Jul 2020 10:13:30 +0200

This morning I come across this article about another data exposure and I could not avoid to notice that it is another Elasticsearch exposed to the public.

894 GB of data was stored in an unsecured Elasticsearch cluster.

Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.

Access your azure VM with Azure Bastion

Sat, 11 Jul 2020 10:45:18 +0200

There are lots of reasons to use a classic VM in Azure, even if PAAS is the preferred way to approach the cloud, IAAS is still strong especially because not every product is ready to run on cloud providers.

If you have the need to create a standard VM, both Linux or Windows, you probably want an access with SSH or RDP to configure and manage it and using a public address is probably the quickest, but less secure way, to do it.

Principle of least privilege

Sat, 04 Jul 2020 08:13:30 +0200

This is the fourth article in a series of post dealing on why it is important to strictly validate user input.

A brief recap

Let’s return to the beginning, the very first version of the vulnerable function.

Do Not Disclose Errors to the User

Fri, 03 Jul 2020 22:13:30 +0200

This is the fourth article in a series of post dealing on why it is important to strictly validate user input.

In the last post we analyzed how it is not fully possible to limit user input in some functions like search. The user could almost search for every character and it is not easy to impose a maximum length. Nevertheless imposing a maximum length of the string to 50 characters seems to break Sql Injection.

Error in mapping MongoDb classes after updating to 2.10 driver

Thu, 02 Jul 2020 10:17:25 +0200

After updating a big project from MongoDb C# driver 2.7 to latest 2.10 version I started having lots of error on Integration tests.

MongoDB.Bson.BsonSerializationException
 HResult=0x80131500
 Message=Creator map for class TestMongoBug.TestArray has 2 arguments, but none are configured.
 Source=MongoDB.Bson
 StackTrace:
 at MongoDB.Bson.Serialization.BsonCreatorMap.Freeze()
 at MongoDB.Bson.Serialization.BsonClassMap.Freeze()
 at MongoDB.Bson.Serialization.BsonClassMap.LookupClassMap(Type classType)
 at MongoDB.Bson.Serialization.BsonClassMapSerializationProvider.GetSerializer(Type type, IBsonSerializerRegistry serializerRegistry)
 at MongoDB.Bson.Serialization.BsonSerializerRegistry.CreateSerializer(Type type)
 at System.Collections.Concurrent.ConcurrentDictionary`2.GetOrAdd(TKey key, Func`2 valueFactory)

The stack trace is especially strange, because it reveals that the error happens when the BsonClkassMap is trying to create mapping for the object. The error message is also really strange

Publish PowerShell functions to PowerShell Gallery

Sun, 28 Jun 2020 08:00:00 +0200

I’m a great fan of PowerShell script for build and release, even if Azure DevOps, GitHub Actions, TeamCity or Jenkins have pre-made task for common operations (zipping, file handling, etc). I always like using PowerShell scripts to do most of the job and the reason is simple: PowerShell scripts are easy to test, easy to understand and are not bound to a specific CI/CD engine.

Since I’m not a real PowerShell expert, during the years I’ve made some functions I reuse across projects, but I didn’t organize them, leading to some confusion over the years.

Use Kali linux in Windows Subsystem for Linux

Fri, 26 Jun 2020 10:00:37 +0200

Kali Linux on Windows

Thanks to the new Windows Subsystem for Linux version 2, shortly called WSL2, we have now a real Linux kernel running in a real VM as the core of WSL. This allows finally to use Kali Linux in WSL environment; if you tried in WSL you probably encountered some errors with network tools like NMap. With WSL2 everything seems to run just fine giving you a quick way to have a Kali Linux running in your Windows system while having full integration between file systems.

Compiling Angular app in WSL2

Sat, 06 Jun 2020 08:00:00 +0200

Windows Subsystem for Linux was a nice toy to play, but never impressed me very much, one of the reason is its limitations. I do not work much on Linux, but usually I have Linux boxes with MongoDB, Elasticsearch and play with security related stuff and for those purposes I have dedicated virtual machines.

This was the reason why I did not found any real useful usage for WSL, I’ve tried to quick do NMAP scan, but I got errors since it did not run a real Linux full kernel and NMap wants to have full access to the NIC to do its stuff. Now that we have WSL2 things starts to change.

Release a product composed by multiple projects and builds

Sat, 30 May 2020 15:12:42 +0200

Situation

We have a legacy project, born when Asp.Net WebForm was still a thing and Asp.NET MVC was still not released. This project grow during the years, in more that one subversion and git repositories. It was finally time to start setting some best practice in action and, to avoid complexity, we end with a single Git Repositories with six subfolders and six different solutions, each one that contains a part of the final product.

Play security in a secure environment

Sat, 23 May 2020 10:00:37 +0200

Security is one of my long passions, I’ve spent lots of time on C++ and Assembly (both x86 and other architectures) and in that environment I’ve started exploring buffer overflow and other vulnerabilities. Over the course of years security remained only a passion and not my primary skill, but I spent constantly a little amount of time on it through the years.

When it is time to study offensive security, it is quite common to download and install test vulnerable Virtual Machines to test some offensive strategies and I’m quite surprised that most of the online tutorial simply tells you to use Virtual Box (sometimes VmWare workstation), in a very basic way and completely avoid exploring more advanced scenarios.

How to run x86 Unit Test in a .NET core application

Wed, 06 May 2020 21:45:18 +0200

We have a standard .NET standard solution with some projects and some Unit Tests, everything runs perfectly until we have the need to force compilation of one of the project in x86. This can be done with RuntimeIdentifier tag in project file.

<Project Sdk="Microsoft.NET.Sdk">

 <PropertyGroup>
 <TargetFramework>netcoreapp3.1</TargetFramework>
 <RuntimeIdentifier>win-x86</RuntimeIdentifier>
 </PropertyGroup>

After this modification tests started to fail with an error that is clearly directly related to the change in runtime, but was highly unexpected.

Advantage of Hugo

Sat, 02 May 2020 08:00:00 +0200

I should admit that I was one of the people that loved blogging with Windows Live Writer and in general with software that is able to simple edit content, paste images, press a button and your post is online.

Sometimes you just need to go out from your comfort zone a little bit to change perspective and to find what you are doing wrong. Let me do an example: I used different plugins to print formatted code in my blog and after some migration you can see what happened to very first posts (around 2007).

Group application insight logs by custom property

Mon, 27 Apr 2020 18:45:18 +0200

Today we found excessive number of logs in Application Insight instance, an application that usually cost few bucks each month, started to use more resources. Looking at a summary of last 30 days we see excessive number of custom events.

Figure 1: Application insight summary for a specific application

Now the problem is: how can I quickly spot out why we have an excessive number of CustomEvents? Logs shows me clearly that the vast majority of logs are indeed Custom Events. To have a better insight to detail of events, we need to use custom queries, first of all I grouped by name.

Validate User Input Step 4

Sun, 26 Apr 2020 20:14:37 +0200

This is the fourth article in a series of post dealing on why it is important to strictly validate user input.

In this fourth part I will examine another problematic piece of code, obviously vulnerable to sql injection: an API to search in products.

1
2
3
4
5
6
7
8
9


[SwaggerResponse(typeof(IEnumerable<Product>))]
[HttpGet]
[MapToApiVersion("1.0")]
public IActionResult SearchProducts(String searchString)
{
 var query = DataAccess.CreateQuery($"Select * from dbo.Products where productName like '%{searchString}%'");
 var products = query.ExecuteBuildEntities<Product>(Product.Builder);
 return Ok(products);
}

As you can see, leaving user input flow unconstrained in your business logic, where it is used to create a SQL query with string concatenation is a bad idea. You can simply fire SQLMAP to test the API and you can verify that it’s indeed vulnerable.

Test error but build green when test are re-run

Thu, 23 Apr 2020 19:12:42 +0200

Suppose you have a result of an Azure DevOps Pipeline that contains this strange result: you have a clear indication that test run failed (1), but the overall build is green, both the entire build (2) and the single stage (3).

Figure 1: Confusing result of a build

In such a situation you wonder what happened, the overall build is green, but the clear indication that test run failed gives you some bad feeling that something was not really ok. In this situation the problem is that, if you click on Test Run Failed error message you will be redirected to a clear log that states that test run failed.

Moving to Hugo

Mon, 13 Apr 2020 17:17:25 +0200

I’ve started blogging in English in 2007 and clearly the choice was WordPress. I must admit that in lots of years of WordPress I always was quite satisfied by the result, lots of plugin, lots of resources on the internet and the ability to post from programs like Windows Live Writer having a WYSIWYG program.

You can also read one of the first post where I enjoyed blogging in Word, really long time passed since that really old post.

Strange Error uploading artifacts in Azure DevOps pipeline

Sat, 11 Apr 2020 07:00:37 +0200

I have a library that is entirely written in.NET core that deal with some self signed X509 certificates used to encrypt and digitally sign some data. Software runs perfectly and is composed by a server and client part.

At a certain point we decided that the client should be used not only by software that runs.NET core, but also software with full framework , so I’ve changed target framework to target both netstandard 2.0 and full framework 4.6.1, everything compiles perfectly, tests run fine, everything seems to be green. The problem is that unit test project ran tests only with.NET Core, so I was not exercising tests in full framework.

Strange Error uploading artifacts in Azure DevOps pipeline

Sat, 11 Apr 2020 06:00:37 +0200

I have a pipeline that worked perfectly for Years, but yesterday a build failed while uploading artifacts, I queued it again and it still failed, so it does not seems to be an intermittent error (network could be unreliable). I was really puzzled because from the last good build we changed 4 C# files, nothing really changed that can justify the failing and also we have no network problem that can justify problem uploading artifacts to Azure DevOps.

Azure DevOps Pipeline template steps and NET Core 3 local tools

Tue, 07 Apr 2020 16:00:37 +0200

I’m a strong fan of Azure DevOps templates for pipelines because it is a really good feature to both simplify Pipeline authoring and avoid proliferation of too many way to do the same things. In some of my previous examples I’ve always used a template that contains full Multi Stage pipeline definition , this allows you to create a new pipeline with easy, reference repository with the template, choose right template, set parameters and you are ready to go.

Continuous Integration in GitHub Actions deploy in AzureDevops

Sat, 04 Apr 2020 05:00:37 +0200

My dear friend Matteo just published an interesting article on integration between GitHub actions and Azure Devops Pipeline here. I have a different scenario where I’ve already published a GitHub release from a GitHub action, but I have nothing ready in GitHub to release in my machines.

While GitHub is really fantastic for source code and starts having a good support for CI with Actions, in the release part it still miss a solution. Usually this is not a problem, because we have Azure DevOps or other products that can fill the gap.

Azure DevOps pipeline template for build and release NET core project

Sun, 29 Mar 2020 09:00:37 +0200

Some days ago I’ve blogged on how to release projects on GitHub with actions, now it is time to understand how to do a similar thing in Azure DevOps to build / test / publish a.NET core library with nuget. The purpose is to create a generic template that can be reused on every general that needs to build an utility dll, run test and publish to a Nuget feed.

Strange error disallow my NET core application to start

Mon, 23 Mar 2020 08:00:37 +0200

Today I cloned in my workstation a.NET core application that works perfectly on my laptop, but when I started it I got this error

An attempt was made to access a socket in a way forbidden by its access permissions

I’ve spent almost 10 minutes to find why my netsh rule is not working (I work with a user that is not administrator of the machine) and finally, by frustration I opened Visual Studio with administrator user, just to verify that the error is still there.

Release software with GitHub actions and GitVersion

Sun, 22 Mar 2020 10:00:37 +0200

One of the nice aspect of GitHub actions is that you can automate stuff simply with command line tools. If you want to do continuous release of your software and you want to use GitVersion tool to determine a unique SemVer version from the history, here is the sequence of steps.

Iinstall/update gitversion tool with commandline tools
Run GitVersio to determine SemVer numbers
Issue a standard build/test using SemVerNumbers of step 2
If tests are ok, use dotnet publish command (with SemVer numbers) to publish software
Zip and upload publish result
It the branch is Master publish a GitHub release of your software.

Automating your CI pipeline using only CommandLine tools makes your build not dependent on the Engine you are using.

One Team Project to rule them all

Sat, 21 Mar 2020 16:00:37 +0200

A similar post was made lots of time ago, but since this is always an hot topic, it is probably the time to refresh with new UI and new concepts of Azure DevOps.

The subject is, how can I apply security to backlogs if I adopt the strategy one single Team Project subdivided by teams?

The approach One Team Project to rule them all is still valid as today , because, once you have a team project, you can divide it with Teams, where each team has its own backlog (or share a single backlog between teams) making everything more manageable.

Publish artifacts in GitHub actions

Sun, 15 Mar 2020 11:00:37 +0200

GitHub action is perfect to automate simple build workflow and can also be used to publish “releases” of our software. While we can do actions to publish on cloud or elsewhere, what I appreciate from a tool is: allow me to make simple things with simple workflow. While I appreciate being able to obtain complex result and indeed, sometimes we evaluate products on the ability to fulfill complex scenario, often we forgot about the simple things. Is it true that, if a product allows me to solve complex scenarios, it will surely allow me to solve simple scenario, but I wonder about the complexity.

Home Made Zero trust Security step 2

Sat, 14 Mar 2020 10:00:37 +0200

If you read my old post about how to create a simple program that can manage Windows Firewall to open ports with a simple udp request you surely got disappointed by the complete lack of security in the request. That program was no more than a mere proof of concept to understand if I can manage windows firewall programmatically in.NET Core. > The absolute critical problem in that program is that, UDP request to open a Tcp port is sent in clear text. Basically the protocol is, a client C send to the server S a UDP packet in a specific port with a secret key, the server S check if the secret is correct and opens a corresponding TCP port, associated by UDP port in configuration, for requesting IP only and for a predetermined period of time.

NET core configuration array with Bind

Sat, 14 Mar 2020 09:00:37 +0200

New configuration system of.NET core is really nice, but it does not works very well with arrays, I have a configuration object that has an array of FirewallRules

1

 public FirewallRule[] Rules { get; set; }

This rule is simply composed by four simple properties.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


public class FirewallRule
{
 internal FirewallRule()
 {
 }

 public FirewallRule(string name, int udpPort, int tcpPort, string secret)
 {
 Name = name;
 UdpPort = udpPort;
 TcpPort = tcpPort;
 Secret = secret;
 }

 public String Name { get; set; }

 public Int32 UdpPort { get; set; }

 public Int32 TcpPort { get; set; }

 public String Secret { get; set; }
}

Ok, nothing complex, now I’m expecting to being able to write this json configuration file to configure a single rule.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10


{
 "Rules" : [
 {
 "Name": "Rdp",
 "UdpPort": 23456,
 "TcpPort": 3389,
 "Secret": "this_is_a_secret"
 }
 ]
}

GitHub actions improvements

Thu, 12 Mar 2020 17:00:37 +0200

GitHub actions is really new kid on the block and even if I still prefer Azure DevOps pipelines, because they are really more production ready, GitHub actions is rapidly evolving.

Figure 1 : GitHub actions now has a dedicated editor for actions to quickly include actions

As you can see in Figure 1 , when you edit workflow file in GitHub online editor you can simply browse all available actions. Choosing a specific action reveal the snippet of text you should enter to use that action without the need to search around.

Azure DevOps YAML pipeline authorization problem

Tue, 10 Mar 2020 18:00:37 +0200

It could happen, sometimes, that when you create a pipeline in Azure Devops at first run you got the following error.

##[error]Pipeline does not have permissions to use the referenced pool(s) Default. For authorization details, refer to https://aka.ms/yamlauthz.

There are more than one kind of this error, the most common one is the build using some external resource that requires authorization, but in this specific error message, pipeline has no permission to run on default pool.

Use latest OS image tag in GitHub actions

Sun, 08 Mar 2020 09:00:37 +0200

I have a nice GH action that runs some build and test on my project, now I noticed that some of the latest runs have some problem.

Figure 1: My action that ran only one of the matrix combination

Action has two distinct run because it has a matrix, actually I want to run it against Linux and Windows operating systems, but it seems that it does not run anymore on Windows.

GitHub Actions plus Azure Docker Registry

Tue, 25 Feb 2020 17:00:37 +0200

I have some projects that needs SqlServer and MongoDb or ElasticSearch to run some integration tests, these kind of requirements made difficult to use hosted agent for build (in Azure DevOps) or whatever build system you are using where a provider gives you pre-configured machine to run your workflow. Usually each build engine made possible for you to run your own agent and GitHub actions makes no difference ( you can read here about self installed action runners https://help.github.com/en/actions/hosting-your-own-runners/about-self-hosted-runners)

Do not trust user input part 3

Wed, 19 Feb 2020 18:00:37 +0200

In part 2 we continued our journey to prevent malicious users to receive dangerous data, limiting customer id to be a 5 letters string value. We have two aspect to improve because usually I got 2 complains when I show that code.

First one: Customer object, has a composite id, serialized value is somewhat clumsy to access from client code as you can see in Figure 1. Second: if you forget to create a CustomerId from value passed from the user, you are still victim of SQL Injection.

Azure DevOps Git repository options

Wed, 12 Feb 2020 17:00:37 +0200

Azure DevOps is a big product and often users start using it without fully explore all the possibilities. As an example, when it is time to work with Git Repositories, users just create repositories and start working without any further configuration.

If you navigate to the Repos section of Project Settings page, you can configure lots of options for repositories. Security is probably the most important setting, because it determines who can access that specific repository and what permission each user / group has in the context of that very specific repository.

Do not trust user input part 2

Wed, 29 Jan 2020 20:00:37 +0200

After we fixed our code in part 1 of this serie, we continue to expand our API adding a method to select a Customer. Northwind database Customer table has an id of type string, so we could start with this very bad, bad, bad piece of code.

Figure 1: Another bad example of API vulnerable with Sql Injection

Again the question is: what is the most critical error in that piece of code? If you answer “Query with string concatenation” probably you are wrong. Indeed that is a huge problem, but in my mind is accepting a string from the user is still the number one problem.

Do not trust user input

Tue, 28 Jan 2020 21:00:37 +0200

It is time to start blogging a little bit about security, because injection is still high in OWASP TOP 10 and this implies that people still trust their users. Remember, you should not trust your users, never, never, never, because for 10.000 good users there could be 1 bad user, and he/she is enough to damage your organization.

Here you have a really bad, bad, bad, bad, piece of code that is meant to allow product retrieval from northwind database Products table.

Windows Docker Container for Azure Devops Build agent

Sat, 25 Jan 2020 11:00:37 +0200

Thanks to Docker Compose, I can spin off an agent for Azure Devops in mere seconds (once you have all the images). Everything I need is just insert the address of my account a valid token and an agent is ready.

With.NET core everything is simple, because we have a nice build task that automatically install.NET Core SDK in the agent, the very same for node.js. This approach is really nice, because it does not require to preinstall too much stuff in your agent, everything is downloaded and installed on the fly when a build needs that specific tooling.

Why I love DevOps and hate DevSecOps

Sat, 18 Jan 2020 15:00:37 +0200

DevOps is becoming a buzzword, it makes hype and everyone want to be part of it, even if he/she does not know exactly what DevOps is. One of the symptoms of this is the “DevOpsEngineer”, a title that does not fit in my head. We could debate for days or years on the right definition of DevOps, but essentially is a cultural approach on building software focused on building the right thing with the maximum quality and satisfaction for the customer.

Home Made zero trust security

Fri, 03 Jan 2020 16:00:37 +0200

I have a small office with some computers and servers and since I’m a fan of Zero Trust Security, I have firewall enabled even in local network. I’m especially concerned about my primary workstation, a Windows Machine where I have explicitly created firewall rules to block EVERY packet from another machine of the network. I have backups, I have antivirus, but that machine is important and I do not want it to be compromised, working with a rule that block every contact from external code is nice and make it secure, but sometimes it is inconvenient.

Azure DevOps agent with Docker Compose

Fri, 27 Dec 2019 20:00:37 +0200

I’ve dealt in the past on using Docker for your Azure DevOps Linux Build Agent in a post called Configure a VSTS Linux agent with docker in minutes and also I’ve blogged on how you can use Docker inside a build definition to have some prerequisite for testing (like MongoDb and Sql Server), now it is time to move a little step further and leverage Docker compose.

Using Docker commands in pipeline definition is nice, but has some drawbacks: First of all this approach suffers in speed of execution, because the container must start each time you run a build (and should be stopped at the end of the build). Is indeed true that if the docker image is already present in the agent machine startup time is not so high, but some images, like MsSql, are not immediately operative, so you need to wait for them to be ready for Every Build. The alternative is leave them running even if the build is finished, but this could lead to resource exaustion.

Check for Malware in a Azure DevOps Pipeline

Sat, 14 Dec 2019 09:00:37 +0200

In a previous post I’ve showed Credential Scanner, a special task part of Microsoft Security Code Analysis available in Azure, today I want to have a quick peek at Anti Malware scanner task.

First of all a simple consideration: I’ve been asked several times if there is any need to have an AntiVirus or AntiMalware tools in build machines, after all the code that is build is developed by own developer, so there should be no need of such tools, right? In my opinion this is a false assumption, here is some quick consideration on how a malware can be downloaded in your build machine

Consume Azure DevOps feed in TeamCity

Wed, 04 Dec 2019 18:00:37 +0200

Azure DevOps has an integrated feed management you can use for nuget, npm, etc; the feed is private and only authorized users can download / upload packages. Today I had a little problem setting up a build in Team City that uses a feed in Azure Devops, because it failed with 201 (unauthorized)

The problem with Azure DevOps NuGet feeds, is how to authenticate other toolchain or build server.

This project still have some old build in TeamCity, but when it starts consuming packages published in Azure Devops, TeamCity builds start failing due 401 (unauthorized) error. The question is: How can I consume an Azure DevOps nuget feed from agent or tools that are not related to Azure Devops site itself?

BruteForcing login with Hydra

Fri, 29 Nov 2019 18:00:37 +0200

Without any doubt, Hydra is one of the best tool to bruteforce passwords. It has support for many protocols, but it can be used with standard web sites as well forcing a standard POST based login. The syntax is a little bit different from a normal scan, like SSH and is similar to this cmdline.

./hydra -l username -P x:\temp\rockyou.txt hostname –s port http-post-form “/loginpage-address:user=^USER^&password=^PASS^:Invalid password!”

Dissecting the parameters you have

Security in 2019 still unprotected ElasticSearch instance exists

Sun, 24 Nov 2019 13:00:37 +0200

I’ve received today a notification from https://haveibeenpwned.com/ because one of my emails was present in a data breach.

Ok, it happens, but two things disturbed me, the first is that I really never heard of those guys (People Data Labs), this because they are one of the companies that harvest public data from online sources, aggregates them and re-sell as “Data enrichment”. This means that they probably have only public data on me. If you are interested you can read article by Troy Hunt https://www.troyhunt.com/data-enrichment-people-data-labs-and-another-622m-email-addresses/ on details about this breach. But the second, and more disturbing issue is that, in 2019, still people left ElasticSearch open and unprotected in the wild. This demonstrates really low attention about security, especially in situation where you have Elasticsearch on server that have a public exposure. It is really sad to see that Security is still a second citizen in software development, if not, such trivial errors would not be done.

Quick Peek at Microsoft Security Code Analysis Credential Scanner

Sat, 23 Nov 2019 16:00:37 +0200

Microsoft Security Code Analysis contains a set of Tasks for Azure DevOps pipeline to automate some security checks during building of your software. Automatic security scanning tools are not a substitute in any way for human security analysis, remember: if you develop code ignoring security, no tool can save you.

Despite this fact, there are situation where static analysis can really give you benefit, because it can avoid you some simple and silly errors, that can lead to troubles. All Tasks in Microsoft Security Code Analysis package are designed to solve a particular problem and to prevent some common mistake.

Unable to execute NET core unit test in VS after uninstalling older sdk

Thu, 21 Nov 2019 20:00:37 +0200

It is not uncommon to have installed many versions of.NET core framework, especially after many Visual Studio updates. Each installation consumes disk space so I’ve decided to cleanup everything leaving only major version of the framework installed in the system. Everything worked fine, except Visual Studio Test Explorer that, upon test run request, generates this error in Tests output window

[21/11/2019 6:08:03.911] ========== Discovery aborted: 0 tests found (0:00:05,5002292) ==========
[21/11/2019 6:08:03.934] ———- Run started ———-
Testhost process exited with error: It was not possible to find any compatible framework version
The framework ‘Microsoft.NETCore.App’, version ‘2.2.0’ was not found.

Multiline PowerShell on YAML pipeline

Tue, 19 Nov 2019 18:00:37 +0200

Sometimes having a few lines of PowerShell in your pipeline is the only thing you need to quickly customize a build without using a custom task or having a PowerShell file in source code. One of the typical situation is: write a file with some content that needs to be determined by a PowerShell script, in my situation I need to create a configuration file based on some build variable.

Azure DevOps multi stage pipeline environments

Tue, 12 Nov 2019 18:00:37 +0200

In a previous post on releasing with Multi Stage Pipeline and YAML code I briefly introduced the concept of environments. In that example I used an environment called single_env and you can be surprised that, by default, an environment is automatically created when the release runs. This happens because an environment can be seen as sets of resources used as target for deployments, but in the actual preview version, in Azure DevOps, you can only add Kubernetes resources. The question is: why have I used an environment to deploy an application to Azure if there is no connection between the environment and your azure resources? > At this stage of the preview, we can only connect Kubernetes to an environment, no other physical resource can be linked.

GitHub security Alerts

Tue, 22 Oct 2019 16:00:37 +0200

I really love everything about security and I’m really intrigued by GitHub security tab that is now present on you repository. In your project usually it is disabled by default.

Figure 1: GitHub Security tab on your repository

If you enable it you start receiving suggestion based on code that you check in on the repository , as an example, GitHub will scan your npm packages source to find dependencies with libraries that are insecure.