One of the great features of MSBuild is the way you can easily get it to log EVERYTHING to disk so that when things go wrong, you have a pretty good idea of what happened. The problem with this is that it logs EVERYTHING to disk, including most likely some very sensitive information like passwords.
Take the following simplified example:
<Project ToolsVersion=”4.0″ DefaultTargets=”Default” xmlns=”http://schemas.microsoft.com/developer/msbuild/2003″>
<Message Text=”Admin Password: $(AdminPassword)”/>
Running that sample using the following:
msbuild SecureFileLogger.proj /p:AdminPassowrd=Mike /l:FileLogger,Microsoft.Build.Engine
Build started 27/05/2010 21:21:14.
Project “C:\Program Files (x86)\MSBuild\ExtensionPack\4.0\Samples\SecureFileLogger.proj” (default targets):
Admin Password: Mike
Time Elapsed 00:00:00.04
Anyone opening the log file will see sensitive information.
This is a simple example, however you may have no power over what external tasks log to the output stream. This is where the SecureFileLogger provided in the MSBuild Extension Pack 18.104.22.168 steps in.
Running the same sample using:
msbuild SecureFileLogger.proj /p:AdminPassword=Mike /l:SecureFileLogger,MSBuild.ExtensionPack.Loggers.dll
Build started. 05/27/2010 21:29:08
Project “C:\Program Files (x86)\MSBuild\ExtensionPack\4.0\Samples\SecureFileLogger.proj” (default target(s)):
Done building target “Default” in project “C:\Program Files (x86)\MSBuild\ExtensionPack\4.0\Samples\SecureFileLogger.proj”
Done building project “SecureFileLogger.proj”.
Time Elapsed 00:00:00.0460027
By default the task will mask any messages that have the word ‘password’ in them, however it provides the ability to specify any number of Regular Expressions to control the masking of logged output. Here is the full API
Logfile: A optional parameter that specifies the file in which to store the log information. Defaults to securemsbuild.log
RuleFile: A optional parameter that specifies the file in which to read regular expressions from. Use one Regular Expression per line. Defaults to (?i:.*password.*)
Append: An optional boolean parameter that indicates whether or not to append the log to the specified file: true to add the log to the text already present in the file; false to overwrite the contents of the file. The default is false.
Verbosity: An optional parameter that overrides the global verbosity setting for this file logger only. This enables you to log to several loggers, each with a different verbosity.
Encoding: An optional parameter that specifies the encoding for the file, for example, UTF-8.
Additional loggers involving encryption are being worked on, however this logger may provide you with suitable security now.