Feature request: build results Scans tab should pick up Pipeline Artifacts, in addition to Build Artifacts

[dbjorge]

Issue description

Azure DevOps build pipelines support two competing types of uploaded artifacts:

• Build Artifacts, generally uploaded via the Publish Build Artifacts task
• Pipeline Artifacts, generally uploaded via the Publish Pipeline Artifacts task (aka, the publish task keyword in a pipeline yaml file)

In general, Azure DevOps recommends Pipeline Artifacts over Build Artifacts (see the disclaimer at the top of the Build Artifacts docs), but currently, the SARIF SAST Scans Tab extension only supports CodeAnalysisLogs artifacts created as Build Artifacts. If you attempt to upload CodeAnalysisLogs as a pipeline artifact, the Scans tab will show that no SARIF file(s) were found, and its developer console output will show a 404 error.

Ideally, the extension would check for both build and pipeline artifacts using that name and load any matching artifacts from both locations.

Motivation

This appears to be a common source of confusion:

• Our team has helped two other teams hitting this issue during recent office hours
• See these two comments in Unable to render SARIF web component in Azure DevOps build tab #2
• See the Extension Marketplace Q&A comments from 3/22/21, 3/24/21, and 3/26/21

[agorischek]

+1, this has been a problem for my team recently. Pipeline artifact support would be great!