From a7816c791f517ea521bd5e729d805d3eef4e8953 Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Sun, 24 Jan 2021 21:01:24 -0300 Subject: [PATCH] Enable analysis for managed binary (#335) * Enable analysis for managed binary * updating sarif expected results * updating logic to pdblocation * removing old comment * updating pdb loader for checksum and tests * updating logic to check if we can process and tests * adding more tests * addressing pr comments * Moving from NotApplicable to FailureLevel = Error --- .../BA2004.EnableSecureSourceCodeHashing.cs | 42 +++--- src/BinSkim.Rules/RuleResources.Designer.cs | 18 +-- src/BinSkim.Rules/RuleResources.resx | 2 +- src/BinaryParsers/BinaryParsers.csproj | 1 + src/BinaryParsers/ChecksumAlgorithmType.cs | 26 ++++ src/BinaryParsers/PEBinary/PEBinary.cs | 5 - .../PEBinary/PortableExecutable/PE.cs | 73 +++++++++- .../PortableExecutable/SymMetadataProvider.cs | 105 ++++++++++++++ .../PEBinary/ProgramDatabase/Pdb.cs | 65 ++++++++- src/BinaryParsers/PdbFileType.cs | 26 ++++ .../Expected/BinSkim.win-x64.ni.dll.sarif | 2 +- .../Expected/BinSkim.win-x86.ni.dll.sarif | 2 +- .../Expected/Binskim.linux-x64.dll.sarif | 121 ++++++---------- .../Expected/Binskim.win-x64.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x64.dll.sarif | 121 ++++++---------- .../Expected/Binskim.win-x86.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x86.dll.sarif | 121 ++++++---------- ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 131 +++++++++-------- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...otNetCore_win-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...otNetCore_win-x64_VS2019_Default.exe.sarif | 2 +- ...otNetCore_win-x86_VS2019_Default.dll.sarif | 131 +++++++++-------- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 121 ++++++---------- .../Expected/ManagedResourcesOnly.dll.sarif | 121 ++++++---------- ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 124 ++++++++-------- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 130 ++++++++--------- .../Managed_x64_VS2015_FSharp.exe.sarif | 132 ++++++++--------- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 130 ++++++++--------- .../Managed_x86_VS2015_FSharp.dll.sarif | 130 ++++++++--------- .../MixedMode_x64_VS2013_Default.dll.sarif | 74 ++++++++-- .../MixedMode_x64_VS2015_Default.exe.sarif | 76 ++++++++-- .../MixedMode_x86_VS2013_Default.exe.sarif | 80 ++++++++-- .../MixedMode_x86_VS2015_Default.exe.sarif | 80 ++++++++-- .../Native_x64_VS2013_Default.dll.sarif | 2 +- .../Native_x64_VS2015_Default.dll.sarif | 2 +- .../Native_x86_VS2013_Default.exe.sarif | 2 +- .../Native_x86_VS2013_ResourceOnly.dll.sarif | 2 +- ...Native_x86_VS2015_AtlProxyStubPS.dll.sarif | 2 +- .../Native_x86_VS2015_Default.exe.sarif | 2 +- .../Native_x86_VS2015_Default_Debug.dll.sarif | 2 +- .../Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif | 2 +- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 132 ++++++++--------- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 130 ++++++++--------- .../Expected/Uwp_x64_VS2017_Cpp.dll.sarif | 2 +- .../Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif | 2 +- .../Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif | 2 +- .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 2 +- .../Expected/clang.default_compilation.sarif | 2 +- .../Expected/clang.execstack.sarif | 2 +- .../Expected/clang.execstack.so.sarif | 2 +- .../Expected/clang.immediate_binding.sarif | 2 +- .../Expected/clang.no_immediate_binding.sarif | 2 +- .../Expected/clang.no_stack_protector.sarif | 2 +- .../Expected/clang.noexecstack.sarif | 2 +- .../Expected/clang.noexecstack.so.sarif | 2 +- .../Expected/clang.non_pie_executable.sarif | 2 +- .../Expected/clang.object_file.o.sarif | 2 +- .../Expected/clang.pie_executable.sarif | 2 +- .../Expected/clang.relocationsro.sarif | 2 +- .../Expected/clang.relocationsrw.sarif | 2 +- .../Expected/clang.shared_library.so.sarif | 2 +- .../Expected/clang.stack_protector.sarif | 2 +- .../Expected/clang.stack_protector.so.sarif | 2 +- .../Expected/gcc.default_compilation.sarif | 2 +- .../Expected/gcc.execstack.sarif | 2 +- .../Expected/gcc.execstack.so.sarif | 2 +- .../Expected/gcc.fortified.sarif | 2 +- .../Expected/gcc.immediate_binding.sarif | 2 +- .../gcc.no_fortification_required.sarif | 2 +- .../Expected/gcc.no_immediate_binding.sarif | 2 +- .../Expected/gcc.no_stack_protector.sarif | 2 +- .../Expected/gcc.noexecstack.sarif | 2 +- .../Expected/gcc.noexecstack.so.sarif | 2 +- .../Expected/gcc.non_pie_executable.sarif | 2 +- .../Expected/gcc.object_file.o.sarif | 2 +- .../Expected/gcc.pie_executable.sarif | 2 +- .../Expected/gcc.relocationsro.sarif | 2 +- .../Expected/gcc.relocationsrw.sarif | 2 +- .../Expected/gcc.shared_library.so.sarif | 2 +- .../Expected/gcc.stack_protector.sarif | 2 +- .../Expected/gcc.stack_protector.so.sarif | 2 +- .../Expected/gcc.unfortified.sarif | 2 +- .../Fail/Managed_net48_full_exe_sha1.exe | Bin 0 -> 5120 bytes .../Fail/Managed_net48_full_exe_sha1.pdb | Bin 0 -> 19968 bytes .../Fail/Managed_net48_full_sha1.dll | Bin 0 -> 4096 bytes .../Fail/Managed_net48_full_sha1.pdb | Bin 0 -> 15872 bytes .../Fail/Managed_net48_portable_exe_sha1.exe | Bin 0 -> 5120 bytes .../Fail/Managed_net48_portable_exe_sha1.pdb | Bin 0 -> 1372 bytes .../Fail/Managed_net48_portable_sha1.dll | Bin 0 -> 4608 bytes .../Fail/Managed_net48_portable_sha1.pdb | Bin 0 -> 1224 bytes ...anaged_netcoreapp3.1_portable_exe_sha1.dll | Bin 0 -> 5120 bytes ...anaged_netcoreapp3.1_portable_exe_sha1.pdb | Bin 0 -> 9360 bytes .../Managed_netstandard2.0_portable_sha1.dll | Bin 0 -> 4608 bytes .../Managed_netstandard2.0_portable_sha1.pdb | Bin 0 -> 7156 bytes .../Pass/Managed_net48_full_exe_sha256.exe | Bin 0 -> 5120 bytes .../Pass/Managed_net48_full_exe_sha256.pdb | Bin 0 -> 19968 bytes .../Pass/Managed_net48_full_sha256.dll | Bin 0 -> 4096 bytes .../Pass/Managed_net48_full_sha256.pdb | Bin 0 -> 15872 bytes .../Managed_net48_portable_exe_sha256.exe | Bin 0 -> 5120 bytes .../Managed_net48_portable_exe_sha256.pdb | Bin 0 -> 1412 bytes .../Pass/Managed_net48_portable_sha256.dll | Bin 0 -> 4608 bytes .../Pass/Managed_net48_portable_sha256.pdb | Bin 0 -> 1260 bytes ...aged_netcoreapp3.1_portable_exe_sha256.dll | Bin 0 -> 5120 bytes ...aged_netcoreapp3.1_portable_exe_sha256.pdb | Bin 0 -> 9400 bytes ...Managed_netstandard2.0_portable_sha256.dll | Bin 0 -> 4608 bytes ...Managed_netstandard2.0_portable_sha256.pdb | Bin 0 -> 7196 bytes 108 files changed, 1701 insertions(+), 1399 deletions(-) create mode 100644 src/BinaryParsers/ChecksumAlgorithmType.cs create mode 100644 src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs create mode 100644 src/BinaryParsers/PdbFileType.cs create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.pdb diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index aebe9c3c7..5fc964f5c 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -28,27 +28,13 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp protected override IEnumerable MessageResourceNames => new string[] { nameof(RuleResources.BA2004_Pass), nameof(RuleResources.BA2004_Warning_NativeWithInsecureStaticLibraryCompilands), - nameof(RuleResources.BA2004_Warning_Managed), + nameof(RuleResources.BA2004_Error_Managed), nameof(RuleResources.BA2004_Error_NativeWithInsecureDirectCompilands), nameof(RuleResources.NotApplicable_InvalidMetadata) }; public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { - PE portableExecutable = target.PE; - AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; - - reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly; - if (portableExecutable.IsILOnly) { return result; } - - // TODO: currently our test binary for this check is a dll that does not - // compile against any external library. BinSkim regards this as a resource - // only binary and skips the test. We should improve the IsResourceOnly - // helper to properly identify this dependency-free test binary as code. - - // reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; - // if (portableExecutable.IsResourceOnly) { return result; } - reasonForNotAnalyzing = null; return AnalysisApplicability.ApplicableToSpecifiedTarget; } @@ -64,11 +50,31 @@ public override void AnalyzePortableExecutableAndPdb(BinaryAnalyzerContext conte AnalyzeNativeBinaryAndPdb(context); } -#pragma warning disable IDE0060 // Remove unused parameter private void AnalyzeManagedAssemblyAndPdb(BinaryAnalyzerContext context) -#pragma warning restore IDE0060 // Remove unused parameter { - // TODO: use DiaSymReader? + PEBinary target = context.PEBinary(); + Pdb di = target.Pdb; + + if (target.PE.ManagedPdbSourceFileChecksumAlgorithm(di.FileType) != ChecksumAlgorithmType.Sha256) + { + // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. + // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. + // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project + // property with 'SHA256' to enable secure source code hashing. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Fail, context, null, + nameof(RuleResources.BA2004_Error_Managed), + context.TargetUri.GetFileName())); + return; + } + + // '{0}' is a {1} binary which was compiled with a secure (SHA-256) + // source code hashing algorithm. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Pass, context, null, + nameof(RuleResources.BA2004_Pass), + context.TargetUri.GetFileName(), + "managed")); } public void AnalyzeNativeBinaryAndPdb(BinaryAnalyzerContext context) diff --git a/src/BinSkim.Rules/RuleResources.Designer.cs b/src/BinSkim.Rules/RuleResources.Designer.cs index f0d3797c9..745d7b33e 100644 --- a/src/BinSkim.Rules/RuleResources.Designer.cs +++ b/src/BinSkim.Rules/RuleResources.Designer.cs @@ -123,6 +123,15 @@ internal static string BA2004_EnableSecureSourceCodeHashing_Description { } } + /// + /// Looks up a localized string similar to '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing.. + /// + internal static string BA2004_Error_Managed { + get { + return ResourceManager.GetString("BA2004_Error_Managed", resourceCulture); + } + } + /// /// Looks up a localized string similar to '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. @@ -142,15 +151,6 @@ internal static string BA2004_Pass { } } - /// - /// Looks up a localized string similar to '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing.. - /// - internal static string BA2004_Warning_Managed { - get { - return ResourceManager.GetString("BA2004_Warning_Managed", resourceCulture); - } - } - /// /// Looks up a localized string similar to '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. diff --git a/src/BinSkim.Rules/RuleResources.resx b/src/BinSkim.Rules/RuleResources.resx index d43730f22..2c8a42a9e 100644 --- a/src/BinSkim.Rules/RuleResources.resx +++ b/src/BinSkim.Rules/RuleResources.resx @@ -464,7 +464,7 @@ Modules triggering this check were: The PDB for '{0}' was found and loaded. Probing details: {1} - + '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing. diff --git a/src/BinaryParsers/BinaryParsers.csproj b/src/BinaryParsers/BinaryParsers.csproj index 5976d88c9..51ac93724 100644 --- a/src/BinaryParsers/BinaryParsers.csproj +++ b/src/BinaryParsers/BinaryParsers.csproj @@ -4,6 +4,7 @@ Microsoft.CodeAnalysis.BinaryParsers $(NetStandardVersion) + true diff --git a/src/BinaryParsers/ChecksumAlgorithmType.cs b/src/BinaryParsers/ChecksumAlgorithmType.cs new file mode 100644 index 000000000..a4485aa96 --- /dev/null +++ b/src/BinaryParsers/ChecksumAlgorithmType.cs @@ -0,0 +1,26 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +namespace Microsoft.CodeAnalysis.BinaryParsers +{ + /// + /// Checksum Algorithm for managed binary. + /// + public enum ChecksumAlgorithmType + { + /// + /// Unknown format. + /// + Unknown, + + /// + /// SHA1 algorithm. + /// + Sha1, + + /// + /// SHA256 algorithm. + /// + Sha256, + } +} diff --git a/src/BinaryParsers/PEBinary/PEBinary.cs b/src/BinaryParsers/PEBinary/PEBinary.cs index 9e8f18fd1..5303b76ab 100644 --- a/src/BinaryParsers/PEBinary/PEBinary.cs +++ b/src/BinaryParsers/PEBinary/PEBinary.cs @@ -40,11 +40,6 @@ public PEBinary( private Pdb LoadPdb() { - // We should never be required to load a PDB for a managed assembly that does - // not incorporate native code, as no managed-relevant rule currently crawls - // PDBs for its analysis. - Debug.Assert(!this.PE.IsManaged || this.PE.IsMixedMode); - Pdb pdb = null; try { diff --git a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs index 6c8245a1c..d37842dc5 100644 --- a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs +++ b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs @@ -10,6 +10,9 @@ using System.Reflection.PortableExecutable; using System.Security.Cryptography; +using Microsoft.DiaSymReader; +using Microsoft.DiaSymReader.Tools; + namespace Microsoft.CodeAnalysis.BinaryParsers.PortableExecutable { public class PE : IDisposable @@ -29,6 +32,8 @@ public class PE : IDisposable private PEReader peReader; internal SafePointer pImage; // pointer to the beginning of the file in memory private readonly MetadataReader metadataReader; + private const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; + private static readonly Guid sha256guid = new Guid(sha256); public PE(string fileName) { @@ -262,7 +267,6 @@ public byte[] ImageBytes } } - /// /// Calculate SHA1 over the file contents /// @@ -365,7 +369,6 @@ public long Length } } - /// /// Windows OS file version information /// @@ -381,7 +384,6 @@ public FileVersionInfo FileVersion } } - public Packer Packer { get @@ -789,5 +791,70 @@ public bool IsWixBinary return this.isWixBinary.Value; } } + + public ChecksumAlgorithmType ManagedPdbSourceFileChecksumAlgorithm(PdbFileType pdbFileType) + { + return pdbFileType == PdbFileType.Windows + ? ChecksumAlgorithmForFullPdb() + : ChecksumAlgorithmForPortablePdb(); + } + + private ChecksumAlgorithmType ChecksumAlgorithmForPortablePdb() + { + if (!this.peReader.TryOpenAssociatedPortablePdb( + this.FileName, + filePath => File.Exists(filePath) ? File.OpenRead(filePath) : null, + out MetadataReaderProvider pdbProvider, + out _)) + { + return ChecksumAlgorithmType.Unknown; + } + + MetadataReader metadataReader = pdbProvider.GetMetadataReader(); + foreach (DocumentHandle document in metadataReader.Documents) + { + Document doc = metadataReader.GetDocument(document); + + Guid hashGuid = metadataReader.GetGuid(doc.HashAlgorithm); + + return hashGuid == sha256guid ? ChecksumAlgorithmType.Sha256 : ChecksumAlgorithmType.Sha1; + } + + return ChecksumAlgorithmType.Unknown; + } + + private ChecksumAlgorithmType ChecksumAlgorithmForFullPdb() + { + string fileName = Path.GetFileName(this.FileName); + string extension = Path.GetExtension(fileName); + string pdbPath = this.FileName.Replace(fileName, fileName.Replace(extension, ".pdb")); + + if (!File.Exists(pdbPath)) + { + return ChecksumAlgorithmType.Unknown; + } + + using var pdbStream = new FileStream(pdbPath, FileMode.Open, FileAccess.Read); + + var metadataProvider = new SymMetadataProvider(this.metadataReader); + object importer = SymUnmanagedReaderFactory.CreateSymReaderMetadataImport(metadataProvider); + ISymUnmanagedReader3 reader = SymUnmanagedReaderFactory.CreateReaderWithMetadataImport(pdbStream, importer, SymUnmanagedReaderCreationOptions.UseComRegistry); + + try + { + Guid algorithm = Guid.Empty; + foreach (ISymUnmanagedDocument document in reader.GetDocuments()) + { + document.GetChecksumAlgorithmId(ref algorithm); + return algorithm == sha256guid ? ChecksumAlgorithmType.Sha256 : ChecksumAlgorithmType.Sha1; + } + } + finally + { + _ = ((ISymUnmanagedDispose)reader).Destroy(); + } + + return ChecksumAlgorithmType.Unknown; + } } } diff --git a/src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs b/src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs new file mode 100644 index 000000000..e623024e4 --- /dev/null +++ b/src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs @@ -0,0 +1,105 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Diagnostics.CodeAnalysis; +using System.Reflection; +using System.Reflection.Metadata; +using System.Reflection.Metadata.Ecma335; + +namespace Microsoft.DiaSymReader.Tools +{ + internal sealed class SymMetadataProvider : ISymWriterMetadataProvider, ISymReaderMetadataProvider + { + private readonly MetadataReader _reader; + + internal SymMetadataProvider(MetadataReader reader) + { + _reader = reader; + } + + public unsafe bool TryGetStandaloneSignature(int standaloneSignatureToken, out byte* signature, out int length) + { + var sigHandle = (StandaloneSignatureHandle)MetadataTokens.Handle(standaloneSignatureToken); + if (sigHandle.IsNil) + { + signature = null; + length = 0; + return false; + } + + StandaloneSignature sig = _reader.GetStandaloneSignature(sigHandle); + BlobReader blobReader = _reader.GetBlobReader(sig.Signature); + + signature = blobReader.StartPointer; + length = blobReader.Length; + return true; + } + + public bool TryGetTypeDefinitionInfo(int typeDefinitionToken, [NotNullWhen(true)] out string namespaceName, [NotNullWhen(true)] out string typeName, out TypeAttributes attributes) + { + var handle = (TypeDefinitionHandle)MetadataTokens.Handle(typeDefinitionToken); + if (handle.IsNil) + { + namespaceName = null; + typeName = null; + attributes = 0; + return false; + } + + TypeDefinition typeDefinition = _reader.GetTypeDefinition(handle); + namespaceName = _reader.GetString(typeDefinition.Namespace); + typeName = _reader.GetString(typeDefinition.Name); + attributes = typeDefinition.Attributes; + return true; + } + + public bool TryGetTypeReferenceInfo(int typeReferenceToken, [NotNullWhen(true)] out string namespaceName, [NotNullWhen(true)] out string typeName) + { + var handle = (TypeReferenceHandle)MetadataTokens.Handle(typeReferenceToken); + if (handle.IsNil) + { + namespaceName = null; + typeName = null; + return false; + } + + TypeReference typeReference = _reader.GetTypeReference(handle); + namespaceName = _reader.GetString(typeReference.Namespace); + typeName = _reader.GetString(typeReference.Name); + return true; + } + + public bool TryGetEnclosingType(int nestedTypeToken, out int enclosingTypeToken) + { + TypeDefinition nestedTypeDef = _reader.GetTypeDefinition(MetadataTokens.TypeDefinitionHandle(nestedTypeToken)); + TypeDefinitionHandle declaringTypeHandle = nestedTypeDef.GetDeclaringType(); + + if (declaringTypeHandle.IsNil) + { + enclosingTypeToken = 0; + return false; + } + else + { + enclosingTypeToken = MetadataTokens.GetToken(declaringTypeHandle); + return true; + } + } + + public bool TryGetMethodInfo(int methodDefinitionToken, [NotNullWhen(true)] out string methodName, out int declaringTypeToken) + { + var handle = (MethodDefinitionHandle)MetadataTokens.Handle(methodDefinitionToken); + if (handle.IsNil) + { + methodName = null; + declaringTypeToken = 0; + return false; + } + + MethodDefinition methodDefinition = _reader.GetMethodDefinition(handle); + methodName = _reader.GetString(methodDefinition.Name); + declaringTypeToken = MetadataTokens.GetToken(methodDefinition.GetDeclaringType()); + return true; + } + } +} diff --git a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs index 5fea7de6c..eed7fe2e4 100644 --- a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs +++ b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs @@ -3,6 +3,8 @@ using System; using System.Collections.Generic; +using System.Collections.Immutable; +using System.IO; using System.Runtime.InteropServices; using System.Text; using System.Threading; @@ -20,8 +22,14 @@ public sealed class Pdb : IDisposable, IDiaLoadCallback2 { private IDiaSession session; private StringBuilder loadTrace; + private readonly string peOrPdbPath; private readonly Lazy globalScope; private bool restrictReferenceAndOriginalPathAccess; + private PdbFileType pdbFileType; + private const string s_windowsPdbSignature = "Microsoft C/C++ MSF 7.00\r\n\x001ADS\x0000\x0000\x0000"; + private const string s_portablePdbSignature = "BSJB"; + public static readonly ImmutableArray WindowsPdbSignature = ImmutableArray.Create(Encoding.ASCII.GetBytes(s_windowsPdbSignature)); + public static readonly ImmutableArray PortablePdbSignature = ImmutableArray.Create(Encoding.ASCII.GetBytes(s_portablePdbSignature)); /// /// Load debug info from PE or PDB, using symbolPath to help find symbols @@ -35,6 +43,7 @@ public Pdb( string localSymbolDirectories = null, bool traceLoads = false) { + this.peOrPdbPath = pePath; this.loadTrace = traceLoads ? new StringBuilder() : null; this.globalScope = new Lazy(this.GetGlobalScope, LazyThreadSafetyMode.ExecutionAndPublication); this.writableSegmentIds = new Lazy>(this.GenerateWritableSegmentSet); @@ -134,6 +143,42 @@ private void WindowsNativeLoadPdbUsingDia(string pePath, string symbolPath, stri public bool IsStripped => this.GlobalScope.IsStripped; + public PdbFileType FileType + { + get + { + if (this.pdbFileType != PdbFileType.Unknown) + { + return this.pdbFileType; + } + + int max = Math.Max(WindowsPdbSignature.Length, PortablePdbSignature.Length); + + byte[] b = new byte[max]; + + using (FileStream fs = File.OpenRead(PdbLocation)) + { + if (fs.Read(b, 0, b.Length) != b.Length) + { + return this.pdbFileType; + } + } + + Span span = b.AsSpan(); + + if (WindowsPdbSignature.AsSpan().SequenceEqual(span.Slice(0, WindowsPdbSignature.Length))) + { + this.pdbFileType = PdbFileType.Windows; + } + else if (PortablePdbSignature.AsSpan().SequenceEqual(span.Slice(0, PortablePdbSignature.Length))) + { + this.pdbFileType = PdbFileType.Portable; + } + + return this.pdbFileType; + } + } + /// /// Get the list of modules in this executable /// @@ -348,7 +393,25 @@ public bool ContainsExecutableSectionContribs() /// /// Returns the location of the PDB for this module /// - public string PdbLocation => this.session.globalScope.symbolsFileName; + public string PdbLocation + { + get + { + string path = this.session.globalScope.symbolsFileName; + if (File.Exists(path) && !Directory.Exists(path)) + { + return path; + } + + string extension = Path.GetExtension(this.peOrPdbPath); + if (File.Exists(this.peOrPdbPath.Replace(extension, ".pdb"))) + { + return this.peOrPdbPath.Replace(extension, ".pdb"); + } + + return path; + } + } public void Dispose() { diff --git a/src/BinaryParsers/PdbFileType.cs b/src/BinaryParsers/PdbFileType.cs new file mode 100644 index 000000000..2e8749a77 --- /dev/null +++ b/src/BinaryParsers/PdbFileType.cs @@ -0,0 +1,26 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +namespace Microsoft.CodeAnalysis.BinaryParsers +{ + /// + /// What is the format of a file. + /// + public enum PdbFileType + { + /// + /// Unknown format. + /// + Unknown, + + /// + /// Windows specific format. + /// + Windows, + + /// + /// Portable OS format. + /// + Portable, + } +} diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 59acfb154..60748828d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -639,7 +639,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index 94d0f35cb..00096bf51 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -662,7 +662,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index c63dd8738..c58554b0b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.linux-x64.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -654,34 +630,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1294,7 +1242,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.linux-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index c7216bb78..89a865ad3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -639,7 +639,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index b520ca9f7..e7b0f7b2d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x64.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -654,34 +630,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1294,7 +1242,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index ececb894c..43e6ae227 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -662,7 +662,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 1db877190..8599c940f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x86.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -650,34 +626,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1290,7 +1238,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x86.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index 8cbcff850..123574a2f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "managed" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index e978ff182..364f05ffa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_RTR_win-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_RTR_win-x64_VS2019_Default.dll", + "managed" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index d17c2fa58..3dfbe7ad6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2015", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,8 +253,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotDisableStackProtectionForFunctions", - "image is a managed IL-only assembly" + "EnableHighEntropyVirtualAddresses", + "image will likely load as a 32-bit process" ] }, "locations": [ @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image will likely load as a 32-bit process" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,8 +301,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,7 +389,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 16, "kind": "notApplicable", "level": "none", @@ -397,7 +397,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -413,16 +413,15 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 17, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "managed" ] }, "locations": [ @@ -650,34 +649,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1063,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 721792338..72a87c1ac 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_linux-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_linux-x64_VS2019_Default.dll", + "managed" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index 5683ad619..c7a515716 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_win-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_win-x64_VS2019_Default.dll", + "managed" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index f62f7ff5f..90ed2c3ea 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -635,7 +635,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index b83dde9e1..3775a8cdd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2015", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,8 +253,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotDisableStackProtectionForFunctions", - "image is a managed IL-only assembly" + "EnableHighEntropyVirtualAddresses", + "image will likely load as a 32-bit process" ] }, "locations": [ @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image will likely load as a 32-bit process" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,8 +301,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,7 +389,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 16, "kind": "notApplicable", "level": "none", @@ -397,7 +397,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -413,16 +413,15 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 17, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "managed" ] }, "locations": [ @@ -650,34 +649,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1063,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index cc040f967..58b6243cd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedInteropAssemblyForAtlTestLibrary.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -650,34 +626,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1290,7 +1238,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll" + } + } + } + ], + "message": { + "text": "'ManagedInteropAssemblyForAtlTestLibrary.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index 1bbec448d..32d50b831 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedResourcesOnly.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -653,34 +629,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1293,7 +1241,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll" + } + } + } + ], + "message": { + "text": "'ManagedResourcesOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index 6c743a20f..46809b189 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2024", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,7 +253,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotDisableStackProtectionForFunctions", + "EnableSpectreMitigations", "image is a managed IL-only assembly" ] }, @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,7 +301,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -389,16 +389,12 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 16, - "kind": "notApplicable", - "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Error_Managed", "arguments": [ - "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe" ] }, "locations": [ @@ -647,34 +643,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1058,6 +1026,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index 9ed3260f7..62145310a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_AnyCPU_VS2017_Prefer32Bit.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index 6baa90f6b..7d0e4f2c8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x64_VS2015_FSharp.exe", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x64_VS2015_FSharp.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -460,6 +436,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 18, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_x64_VS2015_FSharp.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x64_VS2015_FSharp.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 19, @@ -652,34 +648,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1116,6 +1084,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index 6c587f2ed..00ec8dc24 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x86_VS2013_Wpf.exe", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2013_Wpf.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_x86_VS2013_Wpf.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2013_Wpf.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index a8ee1471b..e8b058a11 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x86_VS2015_FSharp.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_x86_VS2015_FSharp.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index ce3e9582d..31062f18e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -265,8 +265,28 @@ ] }, { - "ruleId": "BA2005", + "ruleId": "BA2004", "ruleIndex": 11, + "message": { + "id": "Error_Managed", + "arguments": [ + "MixedMode_x64_VS2013_Default.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -288,7 +308,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -311,7 +331,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -334,7 +354,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -356,7 +376,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -378,7 +398,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -400,7 +420,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -422,7 +442,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -444,7 +464,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -466,7 +486,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -488,7 +508,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -510,7 +530,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +554,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -846,6 +866,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index 5182adbc8..42c266a3f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -241,8 +241,28 @@ ] }, { - "ruleId": "BA2005", + "ruleId": "BA2004", "ruleIndex": 10, + "message": { + "id": "Error_Managed", + "arguments": [ + "MixedMode_x64_VS2015_Default.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +284,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -287,7 +307,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -310,7 +330,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -332,7 +352,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -354,7 +374,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -376,7 +396,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -398,7 +418,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -420,7 +440,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -442,7 +462,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -464,7 +484,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -486,7 +506,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -508,7 +528,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -532,7 +552,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -813,6 +833,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index 07f6987e4..df92e84a2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -195,8 +195,28 @@ ] }, { - "ruleId": "BA2005", + "ruleId": "BA2004", "ruleIndex": 8, + "message": { + "id": "Error_Managed", + "arguments": [ + "MixedMode_x86_VS2013_Default.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -218,7 +238,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -241,7 +261,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +284,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +306,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +328,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +350,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +372,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +394,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -396,7 +416,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error_NeitherHighEntropyVANorLargeAddressAware", @@ -417,7 +437,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -439,7 +459,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -461,7 +481,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -483,7 +503,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -505,7 +525,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -529,7 +549,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -757,6 +777,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index 79589d5d6..030986fbf 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -195,8 +195,28 @@ ] }, { - "ruleId": "BA2005", + "ruleId": "BA2004", "ruleIndex": 8, + "message": { + "id": "Error_Managed", + "arguments": [ + "MixedMode_x86_VS2015_Default.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -218,7 +238,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -241,7 +261,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +284,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +306,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +328,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +350,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +372,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +394,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -396,7 +416,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error_NeitherHighEntropyVANorLargeAddressAware", @@ -417,7 +437,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -439,7 +459,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -461,7 +481,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -483,7 +503,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -505,7 +525,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -529,7 +549,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -757,6 +777,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif index c3e0ca30c..6dd3b5335 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif @@ -905,7 +905,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif index 05c393893..f063f7d9b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif @@ -874,7 +874,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif index 3e0e1f9bf..5dcd44991 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif @@ -850,7 +850,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif index a3cec5bcc..371b779bf 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif @@ -1109,7 +1109,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif index ee6d53c43..0aed6b0dd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif @@ -820,7 +820,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif index db4fe0e81..f34efc0a4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif @@ -819,7 +819,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif index 8ad7f8c9f..7f214dc4d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif @@ -819,7 +819,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif index 0c43a92af..941e9f715 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif @@ -907,7 +907,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index b0afd9e27..c69b11c5b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_ARM_VS2017_VB.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -460,6 +436,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 18, + "message": { + "id": "Error_Managed", + "arguments": [ + "Uwp_ARM_VS2017_VB.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 19, @@ -652,34 +648,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1122,6 +1090,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index 46e386bb0..465618e06 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif index 45099b0eb..12a1e2f0c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif @@ -852,7 +852,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif index 338193112..a6d9a7f1a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif @@ -874,7 +874,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif index ba4f2fde8..b94dd2d06 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif @@ -852,7 +852,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index 3a92429e3..33050b7e2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -662,7 +662,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif index 11c799565..a580b33b9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif index a3ef97edc..3382dc785 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif index 52cf80455..425845a2e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif index 1c1d8a036..a0fadbe0f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif index 394b2991b..5b602bf20 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif index bbfeb49ee..a236a0a31 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif index e716bcead..fa093a63e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif index 138c1311c..4d8b4222d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif index 848a77d04..9ee9b6394 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif index 90da0b741..8872199ba 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif @@ -678,7 +678,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif index afd9285ad..b7785fb33 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif index 9b5f9ebef..e7ce2077b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif index e9a102115..f7379eec8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif index 31c099bae..d98e92285 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif index b88c0313e..79e6402a2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif index 46b876b09..7b320d48f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif @@ -670,7 +670,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif index 9d72a33fc..8488db808 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif index 582f6f7df..8df883767 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif @@ -665,7 +665,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif index 3b8bbae0e..05fb48197 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif index 782b6f21b..5e8bfdb5c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif index 8ff2f04e1..830655504 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif index bafa0d52f..f22c75e2a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif index 702dbfb55..9320916ee 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif index c30b5137f..bb6613f3f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif @@ -665,7 +665,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif index 5c3569f84..fdd1efa2a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif index 38b3e16b5..2c9d57081 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif index 448a79676..d8b20305f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif index b20eac785..ba1ba52f0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif @@ -678,7 +678,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif index 5654a09e1..2dbf4e9b6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif index 7d21ab81c..6da9e537e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif index 4d62be53c..e2bd7383d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif @@ -665,7 +665,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif index a2028fdf6..7ebd61fa3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif index 7ee0fe13a..670fe21a6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif index 7cad2e375..99a9595bc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif index 76d3b1840..356a7b47c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.exe new file mode 100644 index 0000000000000000000000000000000000000000..0ffd9afd98d6787b740e4f1b31412d5724985e4a GIT binary patch literal 5120 zcmeHK-)|g89sln6M{PHDlaz!eZDD#&p*8XPY+uq#uoM3{Cmh&`lXKkA9&+~f=FZ#f z?OtbguRcJ?6#}Ue4?#kr`~gT*L~4a9s6dDccn#_cJhf8WhYBG?dFT@l4WF6ay*nqt zMB%BZ-}8KDzCY$W-ygFx|bAJ6|HS?yg) z)BQ$Q_j?HX8T}dg#jci1zBgP9Kwz3cdFQqVsAz zM>Nwm5(`y#g=h~t2ECl3?-p3(exg1A`YQ>6-VFFwfPUsaAcm%5js3<*1HT@>Th)ZS7Y?2j++tI#e_|pz;b(zNM&-N{r}_eJXb;GP=^L zbnXU*Xe^z2;sI5+v4!GS7Yt?~sPCsi<7ld%ni|i-$OE*Dsr|(1eWRcLuJH|xzhNlOlNv8*{B6y@ zK*O*wq48^)^J97)npaYP(ThB)SB&zqm;Qv6=i!Axt4s-gNbeYFnUmOUdhHx3%U3-KuT2uqwQ6iK`teYnG_-;0%s4{(|2v zNambzT)xhQbbPNfD-kaGUe&3E!V2yv&U0xCr?FEAzZ;ILXI$j2wWUY$cH650IkAJ= z1&e;8C7jyk9Yytq<+VCy#bW3A&`al*B}BsMwMLubZ(EGfo4(UV?M# z3Wzmm#d5s1Hm|zeRxy)l2fj%7dB>`Gz6=~&CalD8!3((X8$~Xfj?HfqM;YUyEswSX z{J^$>I!Y+%eEB)78f~^8yz}Spj=Vg!czyWkgKz)itug9lhB45?$mqjh-#$f-D3lub z)i+D)hqCX!)JKN#=*WPfk6)tCsSkE7b?|9nHO~3o(w5D28P_(2|AI82cc1>&nL!Wl zl0_VXTJ5t2?QfTj{r(lkrZQ8Lgu{i7RHu%Wb9OZ|Ue07QUScm5*0)Qh`rmS1vR?73<>3 z(j|%SrNk?qb=9heCFzI4<|V-!zAWL3kv_i7M&o#Cm&BF)@^d9!=H0Z+Mx{)H@dc-x z8%-V&-JZtdLG-+8oj2v z0*r1gY>VwKCWd+!-^$c{CE5HB`ZKr;uFVl$?}1Vb*L$)Ut>b3d0A8Yt7!~kBI|sS| zd?tFW(QkV{{5V=ST08OKbZkf6Gl?W-QC{=b$sz$e4&EOeHa)76uT_qanzaV01+IkL zq5yh6s0d!`-2-27JA*GE@u+qOOMk_OVo;|2%TgI*qQl@Cv%}T~);$8P#Pd8XNV2sbjU9fj==m0W<5WT3JoEu&@qXPvtRdoZG2*m^wgDTP z(8p;59|yYZuR|&z?ZiKcn?2KR>Y2%)uQC{DT@QBLF0b#+4>R^my-D}O{xayAwyZMO zpq7rf2Cvm|emjrREAWfqC6hr@agD)Bx1FfM71*uAuE3imse;<8DyH-C8mhu7rX=Tz zQk5h6Ut_zhYq^SbeAFmJ9fPjS-K%{8-lUn$d%3HjOJO&A4a#72L+N=}T*8#&c;V1Iw#euJ7^Lbc@UM z=~Kf)!$UJx{5oSW;mO%_D7=%>-o%Scj@KPq_|mTi%kafZDWNB#}g-L?eIxmlWFGR&YMlIv~bzDj;-HWrqyVqCn5`h2xU<4s{UR2GnLl! zu(srOD6nQsgCqF!A^hZ(RpB)8Vytm_msY0}s|?VwgS*KN)gx+|H@VAPg=f>2EO<@- zDi>)MI`cN(N=ReXawU(0(ncok;7#KC#17wQCfZ4W!puZcp;Jl4KkYy98DP=>=DDXn M@sWHQz&&K(-(w3TEdT%j literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..dc5a353d8d827c7dd51fa211474743a1b97fee8b GIT binary patch literal 19968 zcmeHNTWl0n7(QESFVI4_V!2dt!4kQ&dug}O5(VmRtBtG_TTCPy%IxlJS-U$^XJ&!M z2a6>7;3YixfH4@2Vgf{o(U_=^kZ4HsQ4C(t7gQ3B5o-+giTZzYDFfDxq?65ddj8G7 z|GCXM|K;4~+l^(Cimb|M%@+wo*01-)`g?pE{lQ@E{N>SpMpVX_hs3?aN0294Z3zDD z1`lk%T6uPo(_HmH2V)a+)pl<8vf+1c%Hmc8*=_rtIJa`{W|;Vnjf z!O>@TdDG{;XV%d~sp>uRTf@@H-6!f|&;2d;CJ%-8EH?MROK;Wfx*)!mYyR%}ciMNi zCO+L=QSFB9(d{-k75};8NoVx$<`@hqXDNcV*#h>5*ixV%WN4a+8 z+7;mY65;$TvMIh(6%{ourX*ol$mQdzoL7=!ToFfPH6D>ARnCfCBO@E)F+mcB#MGc9 zYT=H-bUvFM6c31l>Rurf?^EOUy37^ma^!lK4k;-oo`^@q zM1Cmlf24b$hx8Tq%gS)`V`P6umhRsd_ILQZR8`C+vZGy^reqR%O;ll&LpDK!l%WB6 zF+HWhKD!2jsey2V1`hdv0yQEkT1HgkmZiN?T6WMzikmfpWl6>yVF69J6EyYkD-&km z+r$IJYbaBL*?1FG-jwHACp^%2Dd_pe))69cD+Gj~f*8-$nh)wxq%`^-`})VDakCzg zMx97(5u&|@GH5&Axb!00VkV$1>g;VXE3CGe}{!v)Bo@Q-t+z<2K)oR zgWyw6bHf9Ozn`u1!dlD&kbU!|set9JuWuF;G7_a5*gP+uJ56l0#gv)Pn!G#vM^#PC zu@%?T{)n8-ib;)5Rn`BXD2YlY$?9$O+cMIV^!N>B1L6SDuKi~4}x%VHx(0h7yb=fB;KiGrkVk}B^jFppO&=vC=y56SC3ic<-ATh{8 zAIlENCcTtSA;!jF7wv0f)npwQKB^){IS6SVahP~E60qLo)q!#N2YcvBlCZ7alq6yY;O$oAO!!EQ-YMhE-kj6^$dJzK5UV-NM1 z2S5W`Yby(G2!cW`bdIsTyV5Xj6!!o;;G;7iYkNAf?gqHyR8c#e)pP8;hUu;*#CU&o z$b+~pWHm1>VwY2ObQ{J!*GJq;+-D1V1Lc(~jNLhKKw3ba63HA_4 zTUUB%0UXh9;)pEL6YT76>yDV+O!Ytgcr{b=c_}@B`@Eg*iwe?Emfj(vax$M2B~4w| z+S=9@ZcC(EgpT&kmT*XDYv~LogDst@v=9o0(jlR!=dkgkR|&<<+|WR*ddF(4?$8^}+3Eo0A+bO_;_0m|u+1_dxi=SG-vg9Zg2I%E{7@#lB6R5^{+Sx#e_*sB>5`J{T}lHRUPBD5)nXr|w^93Ms^3by zjq=#Vu-{^MoDoZip(@@RfeSAr#$jry3AGmy19yN9^~84&FDAa7m{V~)V4UT}8Hj58K_&NUnpYaD|;cB|&Klhe2qRcq{dyBIb`0ugHeW!pC{&BKh z4sZUj`_$OsWqWq)lQ{l+3QHEqU~hM literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..7952d2ace995d1e93b8ecfb80759a25d394c5b95 GIT binary patch literal 4096 zcmeHKTWl0n82+a>%B@^PZXymX7(qJOwoB7`!EJX7ROrR-Qc*W)XLnDx1G6*3%q(<` zk@BF4kp$z5iElm$K4CP1Ccc@sXd3LMM?Pz!kC$HFc1byOd0T4I@KndO^R8Y{ zv$|#3zM2uLTeMWeQWHZ-wP5FjwsPgN?Pb%$eME#E7nQBId(5(F)M6 z?;z@$&%4`P4cxDYG-7_BGC{BTV#-JV2Rp8!aja#(F_NGXjccywW-*h##W3JPEkg@I z4Bl(5Fl`93uQZOvwwlmF5F_dhP37=M&MSa@tD$;It3+q&i4-Q@2Q=3_wu&9x1>N4{ zv%N~$68m)`sztPpNJm>Y8?Gl4_#75$d6j4#{7s>?Bz@Pg@*Yb}B32H!<#3Wr47iLf z`w#ag(7(cS*6lUz4CV|_SN5+XTFR5(l@3}T#KC&tNl)OMObf>s#Q32S^bNE^*;>;; zC5dBnLs><8q1Hf?^n=nsHzoc~;&Fv3yCv?E_>`olXa@9li9eE*cj+Ba25K(LMO3WH z>+)|kZ36C*<6+5oed9IAD)9drd|CtC0GVsbGTI5en%X4pmbgdaeuz>m{$;0}qOlsGQw2k9i}NlAH0;w+s7aB^{I9}*Zs~cE8?%HT?HZdXn&y}{skc$w)IG0_o*J-oMN{mh zf|s>j)5y^NqLJ(Iu`4n~Ur<71iut^rF~uw`ZWl%k&zM8&@jOw;n5C5AhefMoSI>!p z?jD=9lG5G0@b}^75-062qoT9VFvX~FJ;SzUwJOZGZA}>YqO1FNWG94|bq!}O6Mj2} zDK$ofsZYs~x6t;mi=1Trg^alElw2b}c}G^k(XG;~&PdVnje_7cu};P?4L`(9mONh+ zw6c&^4ig8F7O9t(GffJ#%AGbMCQOm#5J}7Wwp*bm3_Wkzo^NEm3aPSAzvTqR}V~z9q<3y`{wdrAO5NN`(LO|Rg}hBm6Uo6 z)~w-a6Qi2Oi!Y}~H$|_!(WuBvmuM>=$5hSw=Uv?yw5`6WtdNyTO}h3;Pl4PLd3v`f zv|*8S;5w5c8x&ewt%~}^c~xzXw6_uMRA_s9uDgAY-W_f2?C#pr8jW^$wd&myk=BW5 zwlk8`yY_UjaN^fuFTW8OS|B7)4D1vVR(+Imjve`h{j}}7ZLl$tx;mu8f}2DLxns+EGdo~rey9s={^uzCRU+CLyrM$U^8q2k zhMW!&F=T4+b~qBlyCL*`I#U}3XB1zKG2lKL!KfcEtwGHDf%gTkF8aLg=3jxGz*fcP zGi(^Z-x1!gVMt)2z^YCz>=<}Q2-vh}f@~?aU23Jk)j{>Z*U5*RjadK}>TbZO0-tWUqZCHlq-wS5oB1Yu9tuX zkFwGaXO5o(QeTH}f^x{4h2Ezq-l1cNwTQS(j6A$gbi56?K8+!}qmXvNosGKk9a?1c0_?hYgH*E4PhO5?sJsSOlw+yv4xVwPi0(J0VOg_b*tZd95%uyz znYvfIger2a=GvQIvHA7tk~%$z+LJlRAi@$d_D^~UdvQ>M{~3PkTwLUT&c8PUe*-t` BZF&Fz literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..f0bd65e04f198a8880c5135c0efce19471320db7 GIT binary patch literal 15872 zcmeHNU1%It6rOF>G|f-5wbYpSvy=w3>CWzEx9uiqW87^>sGC|+`yhjHc6K&hGdr`) z?6yWKQY`gN@{mHs7A+!bg;HM>g+LS)v0}lZM5-@76qI5Jl-Q@n^UdtEV@#G}#%?mb z2hQAcfA*Yv&bjmR-Mgurq-%zjEd~;yM02!H2^QYg>|o9MLL{^HK3I@nO`7 z9<&N}^+E*R>z09#T7s~%SdIC7_|0Nq?3YKjI7RrAU%m1>?m)jF#-+yjLbYZALn}vL(Zp_(Vk*a&!tO6*?=!DxB}}L%R0p@d&Bxcr*(>*Xbr*bp zTGtA)Ud+jcV0+lFW;K_5E8Ns>dyp$@uPfgU15}=%h1Np6hh(g|lf<(S98}|wnfU)l zp!K(~Z^~h2UOF5-3yVOA_YmWE_m+ns$B&Q<-7~GtmjsfLYpenE$yC~ewP25Z>*}X% z7zdsfp1oL;&CUSBaa65qA)B1ww2Yc{>8w>uISC z&3M~O=G|fuK>iQaMtr!{>$&>Z8@S7vMmqFAN_9LNz)#G34%|;|9QWs>Sr5Sx1H{&jB5D>rmK4=tC8rK2HK~-B)uOSbqazxPMbnv}7~j?zj77v~urn-$ zgPobI7zszR5wUaIPHsoY*Jo zTfYDNB-@zyZjx71JH~)9{w3mC;!VVBh(W*Xjh26H)hk`sQD=a7ihhA}z&6?kGS34^ z9w!;t5IDPNu-|4#L1 z!e&s72(bO1YD9hc*u?vued8~meBADtApZ>i-{O&$3kaOy|J%L7nY~I8VEDgMbiCgO z{Qs42=3@Xx{>-NHJJYZ9eR5^=$cwY@|H1ITdHC;n{C}8o|6lPx@M9}6@ITHFTZo|X%?-$!hnA&|hRsu6ggs@9ot76BH4YDVC1G<|Qv literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.exe new file mode 100644 index 0000000000000000000000000000000000000000..26407d01e7ba734726c479223f4e8ba92721dfe0 GIT binary patch literal 5120 zcmeHKU2I%O6+UWkt`5?MVM7)nV#o|ti+k9dCc+H>~fw}eVb=`db$T<(<^gC7mYUh=#SUm zOT68rG~I2C5Osmm9dW<+74!^k3QZw~E)~U%5p^o0U>6O11#PtP0?`ru*X(05QlW9! zT~^~MqGH2HEL7bF(dW>ee2A!^=sN`#g`cQ*fqpC@&}Txv6QaLz7Z5{JYmMW^NCSiS zjF7?trDL1Ipd}}uG)y7-jNq;hMHQ=xS=&0Qh$c)Coo`an$W?g-sMu1}K}AONPKU}} zij0=DDxEulZW>IdzIs^IZSZ{l@$-hV0#I>n=Q1Oi>_~R>wBmG-3;bJ%`=3L8vGxG1 zKOYLmt4O8s5;mpUm;I}G`Y8seB=uidU6@7x3TUS0o_GBcXa$&VTsTH_ND==svUD#P z7^-=Y>85BzN4;ojtQygeji~RW9wV3Pq{|vlQz~_s3YgkS4!v)5(qA>cp|NQw&XC6Q z8t-cUDjkD`tj5wJf=%T05XCKi3W=JK;tm6k7Dr$iTO zjy)Y>yOe4nr&(UARVr#ulQ-j6*Bt5W;Y~})t0lKyaKcvA23wdmubN`3X{BI_3J>RT zr159{RzWgn-f{UF7t-;)=Bz|G<9lVNQWIu)Tk$NHmT-c-Lc|?7uAXs;yXKA_$^Euh z1ae}9`vo(8P!~>R^R}XDV0!iDoJ%z?bgEqWgrAb*I$?|SfU;yzAIjHd$g7#yP$o_V zzG6av>MDpeP-DkyX!EkmEwygSSfMWx{;XqGJYR;6B@ z(U3=50&!sLKpkb2v|M@`UZZVyss8zpU(9uTu*c;av8yguLC3@JPfz#!ZJ)X5687h}Y%0szF$Hs@ovt#y< zRkBWv*d?=+%a(A|!s{qbTKtF>3_6}!nkzK6@5#74lQ@mX5q$6G8=_f92Ci9O!bU%; z=CFo@K{v|TUmmyLBx7+!ok>^Gc5yH6syitLwT64p)V0zF)Ta;QScp!Y#jS8DKb!xj z(Y5T}?3}v#(BMygv2^&HvN3a}xGM2Y6}j!1TV}OZlzvTEyeN3!%Obui>Ertif>Xr< z5?l03PZ#x8I7l-S*d@w8Ha+&pDT-s-xDm&Mbzk^LaOm&v)*hIA{%`O7a3j7q)mkpA zF;k=ckle44WPQdLb30sr2l^c2JY&1+9>nYG%fzPi=>LaOx;_jgy$?aGpx+xybZcQN z?BgrFTbSTP`kVVidZ$wnm%)`OqPN^OLTaM<*yOukkeAT_H1sR^!x+@uhCKBx#@ zX+McraXW)AAn~Yj8%teUXM~bpj!GC49oPAofxRkz9J51si6Gq~3$*__R%>d#ScNvR z$&7}-Sy+%{={SNtaW3llCSv1cBX1u1ka9GRaRBcEl!=(s`q$BRbT47w#9M+8Ygdb( zHAn?KHS;iv8-AqG2=fM@uQC~GT@QBLmgqlOJefE`^+r7kKNmq)vRfa*E}6-1$q z_5D0X*N``cm(2*8THhe7wAzU(Zo_UBb_L!rNmcMB)oWXheW;47wI#bpQL2)7zF?%N z|1RgvHE!q{ufU&=+SO3suqBh9)DK}7sM_wee`|$rt?#&=GmWfBog=k#>WK58c`iP< z_YEW`h7W%I`oy`Ns>`;c$I@gP*HoHu&+={D(v#`c!u-&9n#s`gY}55UKAEm_nLc;6 zr@NLTCfE^`&0Oq+7S+xEA( zNVA$VZQ%`tG?qOV literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..3644eae6a0e7a2d8a8733d422e8ab004e414ae14 GIT binary patch literal 1372 zcmZ8hYitx%6uz_DE-kHnNU5!aSS^Ss9cSAu9STbKQI;0^+^sROVV%eAcG}sQVP>`z zt)!g=Y7A)#2Em9CHEKac+XP4`NR3G=F$PWlAU=XW{MQK52<@Nhxx2HZ;U?eQbIcWI)_DKTA2#K?G%zc_fgwmmE%1;LJd>(}^sYCt#k2nL_Ic z1!gB8B}HnIL7|flVsA)BHh|{&q(A-0oLf5o(~(5uJ2!Xm2Pb#k$O<+cP_jFBpS$@( z!KEJak-6fM|Mr|MXd1q+HV6sNs|$SF_URR~g`*)f)$+09Lo_%cs4-2Fv0l-Kbwg4W zR7JBiQ&CM?Pi|af<+HsQ{xdUnJpfMWf>8(VwYRsSe~h=W>}76+yX0zNamDi zoQq=QFGs3oN-^m*&Lol|=Ht-{O^zE#k1G(s52|^fny0dwfjv*BKZw=PRgl^xDHsLn zeI3C~;dZaT9u18)NrJ8#YL`j-L*1ON(V{Fvvof_)o#+;HeBr|JHIKP=4HdG7iu37< zF+)&wS>kQln+lGinKLJDn?5}>5=*4CBDguCnw)7zm{i{nz2dm zG|hA;4y#ankV4b9&(_WSJQO^)xNy`zk{GesFURENUs#ui#KO7R%Xfl-V|yImwcYtq zTt?h2DSMZH6Et|Q`On0?w(o=A%*DQJd4`{JrRa~_S$-+ky+%G|1u3hUvLwoiQ`V5fUz^!szyZy|qQdoZvAD}n?GWKfP<|mps1Bow(cMzy5w;ek=!W8sXqKU6K@PE;qh78R^8?>+kb zX@70(m)}1L=^Ka6toxO`qlR@;!bW~tt3l~fL1op$Dkl;j6%FnidGShb?d$7GzW(#n Nnm^XQ^3-@E`X43osdfMW literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..75920010d2a1f327825a28fd17865c991f44f484 GIT binary patch literal 4608 zcmeHKTWl0n82+a>N`X?KA{Ui`78GnZ?RKdxUg%|8TIkJgTe)n~&hDOW2WDr+nOW#+ zGwRYrh~`dqf#O&L%VyIXbw-N4v8znS%|B5d{a$dt-iK%P8qnib8JR;Rok)B zj+RlAnrT{|nh>g!HC5eIqr)*ZW2HoB-MXs!!1PED(STA)wYk{)`PFXFE_IF4L{te5 zH_+k70V-Mt8c~hxm-v1&qk@6yEE@Psr8M;xtMcE%GZ-=p^yeO;VeWKbDNe#tnj%^Y z-ksenhH6tlf+2+)`1QOT7_0b z9q>Nn2*ZLR`$|)2Y)i(CXFwf9UHN|g*}!=Pv2P_*PH~m!<8mT}nfF1vN}gEH4(`L; zuGrx&C9uSPosNW>LM=@#&FyTsoDAT3EL8U@Q7!z9qt(ScM>o?hYuKm(kF-muo_0)@L74Y+CrGjot{6S($VNR38eu-~L{!v;53#}3_OU`HXDKy7Rew2&U zV`cV(e>L6t+* zl{Lh3lyQ@mW9SJwl+{z69(G0|>j{dAL^hq~X$!n=D>I?H`XXMZ>xxXm$c^bFD-i zA^f&=L(Ui#hBhmE?sD5B4sw$8mJ7NqJLl->nR|*dwr1uQ=8R@dPtOQm6YC^&L-&fL zv7GCPOejza1!3Yau2i#7$}q^E89YLxV%iW%4wFJj&vNqosIH|=%k}i6n`hNh>% zSawV}r}d;*CiasgoPyln0dNgF1?t0zlUPvhu@8Uxd_Fq+YyaHzC-a@ZT$-aYRZ%KS zRZ_~)*|33!)eI$-mtTrcY>nJFSE&S-%wv2k$4WN8;Ar-cW%kS_g{;=tjANZ~73i&! zr&v{J`%2rG%B9-F3T-S@NB#DKs)n1w%|v?@s&8-K-N?%IZy8^S)` z$aB#iU@g5`Xfzg$9ecMS z_WSMc4_}HNKYwD~!FjgPeIP#W;=sg3%G6G2nQYv(vQARO9bsE;97o2ra5!zdHNHYh z<5uEiTo!#Lt&p8cP^_;ryuXzKU#jxHaJ)NS{~~o|^GENLU%r`8gL{u-Ilz6Dd&?<* zKl+l%Zp(=p#-OH~{>w=Sc>q{?cQ&sfmYu0C@i>?lz!NY z{2Y|?HTWhdg}j+~dK95H^lhx}V5Gq(j(-w1W-!A01wK|5*`I*afpj7MX58FOg~p$Y zD)c#np42sA$0+jp{`?5RX9GXp9~)tR0JhW8GH1@FoQyaPuldcroTt(S_@z=9zJ_I7 z`(UNmj$h#v>}Fus!8b|13IwYh({Qi`SD0hU=bT4eIii0X+fiA|5v*e&-Yn|q6=m*z z?GviZHC$|WX(gA|u}#kDL>63`6W$p)1t_rWi72}#1w;#?KoSu-JxpOC)*bKoUQ@gbeYH9W$3(^xm!gM zyR$+~B(-9AMSq|~Qz~LYLP>13Bu%P~F>3k;Atw66Uu*(Ogkntf&UThG+~mwT_dDM? zXYRRYCQNsR%Rm`0S0$F-Xn5nWk06TxC?XD;ls%(E*17y-CM5i}iU>?xZaOxhgaAFSPW2MF5jU;yjV z+Kky{U^C`kDnUi1e+5#I^10+tWL)R>Zpw$*$zi3)jAPf3**-E!5QhH#q6; z8ojG@aC!fpCAM$d{F+72I1R4!oV9%nMlN!SqzWR`nuejK3yKW35EMZ+wGho@E9obE zOjlN*a7cX^W$p%<`xp)XDR%?FFiCBBTpdpaaqziMH2JUa{#4u7Rrf4rltBz( zK4^$yuOTR#{nM>jhZ%bYfYfI{_D_xf75j3g&i>~7LjUU6mDi?=%yqzcVb+rw2y`F$ zux|9~?BAy><_hWgBB=%}b9F~=AFmBhH$64|LH$CNMe2r#Xh*2ji6aUwK2iqeZ%zik z{W%xEaBu1T$XI^NV(*f~)h7&A0p3$soVgW`9vigH_1*e`Uq#$0$op5H2{(8@`t#zQ zzVG7S6r?YDo?#2NNSiaEj3@gHvzL)X2A|j*fK7!LdNh5A_8okDDV~>$GG-J$r{`2+!`Vvn*=6IvE zeU57RBzGeEo?T)0Iiu!qkwkZFV7tah@Kr?{YJ6#BmR}q;$19}kP-4XcA%uSdY!*Qs zS9tWn3bV$XvEX&DL3bW`?o6aj`sLS8X{{l5ZqxOLdNoCb8WNyhUCPxVrxl!K-2++j fPv=Rm>vTosX@MHN;p%y-ed1*Ibz6fUf35!m-}!lO literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..fbbc7d02b03f8adf9d0c08d8e4dd7ee4be0df7df GIT binary patch literal 5120 zcmeHKTWnlM8UD}u5@(G~LN7`wl*zgmhbG6~I7w4uC+pZwv($DR?s_V07$Lo`v z8#8BJuc)X6f+rr*C*T29NIW1O+9E)zC>4)wB`RL1DzykIfz*qtrc!z8L(^~OoMW$R z2mBCFkvi-7&-|D9=bQhZn`a-nLLEfZiF)lC(R28!Qqc6@lQpROzxMln`t9yl_CIIL zyt2Q%>_`@hpdl=e*_Q7I5vy?~nm%)UHg&edyr9m_zP{|8iR<}kq8X!u&b|Hf-=(9y zNjd5@hKYJ0$;Q%!d+=qb1yn^CKA9LdS{lFl(i$q{s&vre4~X{Yzm0Fg#wPUf-9%?q zyFm1KcOq>6EE0VI{9o=OD!0r3Q=7%`Q?nlMXHo`VGvccez7OpJVW?`Z32wA>VML3j zkirJ1u@%s0iwQVg3P5iP?glVaSZNVe`T7!STPYBoYGZZtu!<{+!j_>fT4qFU7m)!T zb-Rc_bNzCR1iFQTy()8G&t(Py2n{+_`sOJ^dyO%!95IK@k>Qd2{mNGtxu8Em&w=kE zm%v^@9VkV@@f%WEEMkFv1>b@5C3+lfWR(UUIA5H?_ebF0RQxG7sNt&$x*HGNLbO{k z9~mQbYdojESf|6I=BVPOmY8az56W*0)mBqKVBC@ErtfI_ed^78kxsy*o1Uhh8r@Vg zJ_OBb`XZ_JKQ%3C$&Yn=A@i1zr5e4ZT`p+9aTNB@-;D#5$G8T~Go^Tv-ZuuoJ*v4M z?(4$X3XwsxncdWtF=#JnH{AxBr30XQ&|lH}HJ#A3sOdRPAJ){N7TrP?+TCPQFM67E z6CDPqOsX5WCI2XbNq&;bb!KLdVs@1@2m_ zx+ORCDdKs7>D$p(g>qo|tqnyI2`!JDn&UcAn>LAFVq_+8vGumi#5RdA>#j>cqt5*# z_~`2R>xtk?F1J-M$h4zCr1B}pYWRVS99yQM6hs^YE=pXiI5w9_>HrEk2aD`TI$OI0 zw|aryc7`}k5tjmDbP-gbU8ns}uKoIA&(iXri+^a$IWP9MUZ+lG7(E?~j4m|x?p16* z7Om0W^X$p$6MJ9Hj&_0jYJZQRk6WTU)HW?=ZoMe1a4zttS8X1u*_4+>@R&4Uw@dHv zqXz9W=cdb(Sltt0crc0N_zKoJ9Q5D3zMQ5U8M;<$4y%g}8g$Q2w+0Rz>e8ziXBURe z;~2#chZy9ViMLz!dr!PW#_YV>htHr6;+`8+cSlkb+?!C<@&6ihueIrvi8^1~%R*_Y zwDzyRy?o^#N6$R9`>CE?fBMC!@-aDDIWMsZD!lGnmo2YZkwH_~ydroQ$V##y5sPD$ z9ZsG*ZUrSdnfAp)LO@A=-xZVJ<_S#*<3R_+LUq~`K?+jaJAMnoOyBT(T zcOBnGuIxT#3`uOiyhWuqi@wLN6o}qa574B%*Kq``3sj;i=rk>$Rm2Nz4tx>xbo^SQ z7do$g9N$N=uk>y@nfSqz0Hbd%Q(ATbccFkE2j>HaPoI`>TBvd-sa|DhEl4Hw7DccN zz{Ta+&KY1efGL8N19@W`PlMWKn9|=7ya2F6DWpO4orFIRZ8b&%{>c_WT_%wc%FDx3#luQCy7TOat{w#eLAd?sS6?g^ZSc%>LLgE1R= zM3tEkIZ+X6Ad2c@VW?{w-`Pa2vaax@aaCNL!T%P{c-_on`~cXS$YInL9XzXmK%ux% z>t+~lT)av*jrZv+Zsd^YxX$+kax4)`Pp`-pB6s~hD*t%5V?(~%wn?u(|HrYDtDehN z;#bvp4i{REao-N=xcA3%=gX%L9nUctS$^Ge1D}uQT3qH%p6JW=Wyh@K9mn9pm*csn z@JFS+%sopU@*G_l8!~Eb!lZ88 z9P@E^kLPAvxZGUF)^9WuPukp2>>(0O8L4OB4)Gk$>3$ena=VEaYb)U)5&YXt;N*{Jlp_NK|X+aUv zifk2;TU|-nmr%IeL~iJR-kEczX}S0JpU-ESGjrbW^L?J@ec$JOp66ucLbXzW6d>@L zgub1~Rto|Q2?mlMpmETz=mi;lFLYvhg5PS;H~4MgZxFNwg^dN*E+PSo>n%htAxr!> zR~LwkUR#3u6jwVSBMkjMX(9UEip>MULOwmZ5%b){He*7D^7vc178CdEeuEAfN6~dZM{xc1r!kO<_E;!L zdkhqVem+D$d(lq?Xn{6*8~p^=Qc-{xycD1#KLIR|rz^Rui^^&Qw`4D+w?9h%hz_M5 zZnyCatFmuXrqF-mPS{E-Zf{Vl^c78ht2uLE+i^8|=W#GL76$bii~4a`go%wgETkYUbXLTs4pErz`jh_n#m@kJ~SYX>X>BAJM%*n2sj zEfzuoF&Djo$k>cgHe(|b19aYTxa=OP2MYCKaS>?!IwHwhpKNXAO3`<)UQcpdXH9f+ zlDk~F-4M#Gp|cnQo{;AyB9L5sU;&@NWV2CECiz-4K_L(nQ(qf+a@HzRq076JAL?BO zgTptlgkqR&1q)dW0*NO;Fraly(it!le?*#|>G(LGR{VUR6Rz8MV|1XDOzVPk6d;TI z{k=}s9==1FZ~ffpPW#|Nj2nx)(um+BKpiAv1t3C<%)Ht&4FDbfzEneHPjD<7c=Cmw z;5d~dWbg!RmM1n$FX=`+v_JuBUR*nN_0Dhf^foWfleBUBxrj(8g1Jmsz{EzXb%j2J zY80SpLZo+w&3vnhRTsyV3wNcu1Pet7hd|`>Nj$Cy2@+xB-+EO20~9b`lDPIyn*~;} zKdhpZ$1d!^##@QKywEj*4OZNHqXY~t-ee0MRlRE){)4wTb`kL*Hkia?vk?ZEeIe>l zE<-F3AY7bC)w(JI%7mcAW~H7|ZW=v&Y}`H%)vG^`f|dHzQZqCWdV=oX77I_6O;3pD zvTl|47@CeB1z^YFh()j`8=pe`{=BNtm0Bn z%v)%2)ZX;TF&UV{=W$V=(0NRRO(1f)JdtF#;0~TzlzJK9;m_`Gr+a>|I^MO$_Lg7A z)Y0)|SOkxh@%?S;Z7@jz4Tg;gt`x^ST}8_LN8N#=%a9tKSN`Zdz?eY(i3wx6h}F#c zh}XNGM30WK4nR#n_YJ}%3WK@0;~+PU-+>Is-TO^X>D$cFB^5HH%zJ19o*qh4}idYQE z_7w?Wh6pD)DX#bvkPy%Gu=Z(Pp~e@m!e*Lm!W|_KC4<0^*%dZT^9X>cu$R4Re3tH* z$(mlF^`grI*G-ObP=pIlEMVYUIdFS!4Uk}=Z`}7!+F{GMMZfhv+t5!QMS=}_q-~HM zXm(sL9;U+bKD&cJfJaBqzAWN^b#?ENCpW{}-A57NB;YX+A#U=1gM+caTeAzsCa-XA zre3JtdRE=Y;>##N7ZJ?xTaWq+*IGqsb{4>f#*aPAp+U5gdH#ul2Pt-=VArFu*iFDf zm$5_ujfKW(G#+8ve>iu$MocLgx|ie;U1 z==}lm7xnb1_WWhh^Ws z17Mu>j*#x9*Qlrej*Qx7dWDAprHfG0QXv-{uR#Y@_DtR4PRT1h;JQ_?Cd(%d}d}2<4oSL!6Sl+cDZ#nNFJ5;Pdu+iPPMrhzT?1@sLUK3 z7tDn@XvAM9O-wNL7r(9=0A$SuYj$k-S;gU!=UNN_DP21DC9f(XMGpz9fp6$C2*PsC62FY!o-X-J z8N^CC{Py(T0psjT1D9m@UbW44`Sa(DzR%YO$Bj_yIx+1QSh1HCY!&0S9JM@@yCS>) z@mM_WqMne0kOgSsCKp-q`@gpVzC|~l2N7T2p=bQlyfXi6z3r%cBbKP<*GZD2CtXl( z#$3G1=9uDsu}6LzzD0*pyTKxck1Qx8Ype1r)s$5(gB zvzCv5QE|6}(NE5o9E)Fg>I9sDwFi+-EWT_s(v~1GZT*WkO;=NND3@01iJ$5RyAFBzvY!7qI6# zsX39nU=}r0Bh<|N>uG)Yk=8-@9>8tUq!zS-BU;9BGS zpUuo8kE60NjMQ*U{`7)hxMa`|#Zl zI2>ROvJOF4q!^S2n8`fbrd(jjhM-+7x{vd%O1NtmiwY0-%dw!?K%T%4>^K2OK5J|I zV4DG^BX_p(w#&ICq(km=IVz@!d^xPs;2HA6D6kzcCH6)(cLb$T;=d_B93X$e>jY*@mR7l z>KY-X6Z%tQo(H6O;O zT(my~C`c_``lcx}gOa3jrn0hZB0Lm~rdmO`BOctT`2!%H<=vuPrzevmpP#h2s&swF zPy}w(5KT4aWmW>H=`yBTLHSJUV+S5@Rp`BqM;gpH94b8~S~e<5Jh@5jJu zxV^OMRas{(v8rSHoC#4K1PtZq>5C4R7J*WwV)O6x0G9{Y%{dV@LESQ)ta?!|qZbdb z>ku!jvL=vOLOwVRwPw6^vgYEo_{D{iy_Bn;$RX38-N-;V)w3Lm$E;$U0*POMs zK(O|2n~NpyOunY{B#j(zjkYVWiQVZG+aamPBWXE7I#(^T6qLHcb$gfm3&@TpsjKDp zZB5eUM}T$>^Q^_sbyD+> zg@x@K9}-6qFuY3Ao=uS~vNwW_SDS6KtV>%$J`u(bi~^-2BA5v(G^wx5YTI%^L(l#6 zDyL^Hv#g`EQ#$*EL3lYW=i3ocGPA2r zEto;B6u#*+0BLZp2>5~j*@{eL7`Sy*zG|CM|9sOOeUJvH`?a`!MP(#gG|o!kjo zDnUQ7(<6QyR<$`AHoC1`5?PFzM_I~S%3;ye0&gS3|61UeD zZOsiPQSlv~-N3%M4+)p__te@&%-WDiie29}jLZ&g&k1;ZnUAEJ9;Pjf2JP<9vEy$J zWT`ra?+-bB{!oYV{{Ul}j66e^w#M88%Cz=vTkjDXZ<{k|hQ|1kXLbKW9@@ra@&bjp zfl}QDZVR3PSzZ0N_dPH>M=V@B(f_V~$KjE((8fL5ZN+1&3MV`h@=$=X3;H{@e%M8f zj`;4uJ~pFa7>>pR2Msp8pM4GE0ar;{Eut-gsIjbr0do`xuZLkAhDPzHW!d#0ysi}< z-n*~D!M-@U>9&P~()(d3)aR0Zo_x^yt-C^!sO5}&Cai4+NvwP27Qwd(?P@sMU zTCx4e#s9>Q2uM%2{gMQvz~8D%ZKg*$9*%jb^2Oy4e$wKzI@AptIe4xY^(ij`oNCkJ zT@J1Y=p$w5z0@!x(Y1gR{OEUwHTHFl9G#>;B zg83qzw*cn*1QUpCZyuT|`N*W07p(sdr05VQHQldMu{|4Zwrii>eLPtjT?$EvXTrND zRY=@_aD3mSF2M`xX%%0)3)6Bw{ihPvTn3Lhm`5U-YT3Yf&WOX(jqxW*2?*lT-FM&r zKV^)Vf_ENu_rO9R1w3hNH=IH*YG=hQ>weYwpHeoO7_1_ptxlE~i-DGPxNFUGt|bGf zM5s>dR1aTGz0_CV5xwC)en7~aBHg8(X1WEhg=}+Ay-2&F?*RE;i<#g3#Fva8gHx=4urInpIjRR!ZjI ztc&~H{t92Y8b9>c%V-?YUO!vXn82Lza;A$UkFQ}H?qPcEusWym@y0y!FS03+A=kq~ zKOq6M&%M~ZKn%?(_l^X-;|z}%2R>gxjk)sdcw;x=!U#2`XsNR9>0M92=8b*&c^1Fk z*&&{;_e)Vs^pSr7jhJ`m$x0umRY{LowTA&wc z6PNgyl6@j)w^2{Um62$P>6oD!YSmwX&ST4#!^e}fXa%}YDv!O^!3*s{2TQM<&@M8D zyfT&~X*T3+D$Lmux|@`v^ET-1Zs!#v`Ot^E`1$;PnU>_Ba`*(hx9(Oa#w^K?YN=xv z;UEEwrhM2lLa9?{uG{+%nC0c5sK7YnOAo)Ql7<+F@q`WSiVq@aJccYT<=L240>jdL zITtlH^xIT@-Ezf|I`6e7Y>;GBNts zA6stkiR-|$!SW`|v*mS-(Lj||RrB@g>*i1oUu+c;ew{M|8$5X8MqUlg12!s7^GHid zS0L?kZc^>YrmmJ7DAy0mqZQ`^v9Aha+B&m4Y@;?Is+6$yLvo{~rNWTho!aBp4n0wT z(!|RaF8ytneN}W(fYPPofpVy!34wIl3fDeJl#uCGs_2MH9IL)X&7VA`XQCWzBbmoQ z^DtTO;vkBQ{u%Ce)bJ=J*EN5bUY02>!oEu#*o1?pq!>k3 zoS&oxe#+M+XqyR*cJa*J=T+W5pT|i##wcXPD3UCcT!m=XsEjbVupi73kCWDDN& z6RMz3Ji+rw^dY{fuC#1pZs#H*^j`%KG%~Iv7;fkD1d<2g+mRq-yU+(VoQU=b(4>k( zUW*yB+&&tgz$~u=-nN^$hetNR|T)W0KzFw=1#Nl~KWv( XIB2}wR_XhoGT(PXRkM2gcnJDGU{~O5 literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..6eab6d2acc9da4d0ed15dd742b486a128b95a450 GIT binary patch literal 4608 zcmeHKU2GLa6h7NO+5#0)BoGr^DCJMw-2T`AqPFz5P^CZgUJ%Vq+P(KqZx{CNZf5sF ztA_LijBibh(HP%+F~$cHjUg%z#E@VDK4C&gOo%=h;{!4JpoCDrGrQY++oGukUkK-R z&di)SbLKl|&dh8FU!A3DBC0`|nICi<-5+U5(|;cJ`Ila{Z0 z(k)1{sOL<_aRWUobXjtA%h8j=DZS|Cg|T{dY-q9=g)5NB>a8JR=ZO0s3FnfniMf8R14xkxn#jNMGjAQ`oxEVEsmv z3hD-WLkio4B4ed-6t<=OMjcT%(Sf)f*Y9v#L5!`6YAK@=-9j8R7XAm?Qnh0x1KfqV z2U0H{&>~BW>r|(aFgg+)ZF|{pE!p7XSg7R;(N)yDfw?6WNXsestnmjDleeVhXo~Kl z&F-`uJUWm>y$S=@xqrZRv#6OcT|2mrsDV3ov<_My`oU{sOd$a{6+ZSa^zl6{tm~*r z`%S9@BIc8HOM8r(F|Cf?rZbQn)UJTvCgz_g{*B^>lE0zaTdFQ8V<}i?`}|u&hiMzN zsrHD@@^c$*!iEN%H?j6w@H*NE-bg#a*Fcx~Ud4M9A5i>=;;$%fg4dBjD`^vWGi?Wd zg8IQ*kk1A^Md!df=sftd^d)#NT>*bd$y4ApGjRj}NfATmIK}ihW#T5$py`+eksotJ z;0LCYH)X!vNQ`-|49u)8#{5aM?fyz*i?w=f)A!qG|Dc;M+2VPsFiA;~EforEu_r(# zWJ`gd9^V(mtUaB!f=Y4Plm!v=nt4{a3)+?Gy@Ep_TOst zy3T}EC`qMPHqz@BJ9QwP>te z%iX5>tFJfDU3>cbBlTKz&u`)rldf9-vNXLR*Xf(e36D{xC#8GZ*PypT9k4EqHX1{H z=~R@8yQ7dicM3@f3r*|h^CD^ao^4JKAx&tfMq8Ja$keD&t;$7QHCVI_Hy3`mJ0Mq` z$k89aesh+z!4W<;AEV6TotRw_MmlY$J zc;*+pNi0sHXs~LMgdGdt5dtI3K_xR`Q&1lMI;aES2$VbzE+KEn zYn;HS2Rl-YWtAsm(42%$o3bUcnZRYN&Bx;y)|6PayjGh+ z&gi)iMt4G=cOX!@4$#{b5qVJ93`EVwk7)<8Lc^DpK$Lkk-VKkYRb&c?A3sDo%4-VS za3trQX6-nh+zWT@|G*gL$q3eVfxLu$3o4?5Pb#d=2p&Y9B=DW8(ZaPB?_7D`i1w&G u?!mtLh+z?#Z6kU*PSwKQF3$<~8X literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..cbf143b15c4494f1837df7fcbff56fa4e014dff4 GIT binary patch literal 7156 zcma)>30M=?_P~QI?&5;tRySOzVq_H%d_oqI009gr2yR0%KqSe;nFOV7C?X0dP;4RM zUvU9Z6c7;=s7qZRxFCvEYZYtVs=`D4T5Cn$o#fsSlDvNZd|$qq%$(mj=Wgemd&3G3 zWLYpQ81$zf_=a&<Gz;qu=x92{_=o5d1C}34XI=1g-4lj;rd=%2Gj^SAN*X{ukSyoKMdI zj~P5W2BSB)0&%TRJ>Y#`aP0%{>38%8yo0yvqL=snVs zF@B^KBN1Fv!4-X`07(nR6d>D#9%--EuRkAe%1RCV{(eC0#=4-py?Da4irx!@%kMW1 ztX-z+|9aT)FN+Ti6sG@42*j!GOFzWUopY(@twA~AjI*KpdhB7OToV&=rBsHK)01$L zk`fAr8`F#FJl%uo>O9lgo$2B{%^R1v$9j6YOI)43-JQL>oF%xIB+f;QdBr+=dN_Mw zn6r!6ODti?Fh#r?i^myk2L_>3N#)XSFcqy*g2$@krz>S@ib1Ls;03O?<_@g6yLvc- z@kF@(ohQ=`pm9^}+SSZ#` zi-A6$sp;#}YZWQnxnQ;D&GDDg6u62~VG0RGN}%NT1AwHT9fR3?M4oSPot1K^ydU#Vmh3KhOm1?7K$4oqY}#J5aivraAg_WIepU45WDn~=$HG2Lwx6M$kh zN#Y7)_V}=wdovy8hVC4mHo|Rq;xRLURWA$~1gPkd%+hQ+MV_PjYm;piv1rJx? zq*QF=sP|~0o6W)j0og&DJ5IG`Z8yV)D{-+DlS#k9QLiAwQ*R9$v$WFDzqtO+xcOVh zr|4n1l2Cw#2?+@<0}TZ~DKJii0vbodbhr9odzfrvaOt^W7gip9+{--Qy|FVK?uwo< zyn@RPd)L-SCi$9YxJke~3!`v}Kb5RNjXnoQr|9*@dxeuv`{hmcy=||NZZ)sNWOgCE z*m3EoO4|+WomXwgO#VkN!W0t;nUgQFMHXi^4E`fHW{DzuNu7u z1x3hkBjFeQ__w3u>V!4-si&Xu1%vd$B$7M@+jV8rvYgnEydy$ z1f`OSwG&!JVqz6qjL1k&yCP>>l_%?1gy3X(vUi~wltaf5*z60iG29f_S`QDqfJ*!8 z`ws=G$C|+cKx~_@i);c#9ATs&-S)e|-pu^qZ{L2k^qi+?u^9znBq7Er?G1>c%sBS5%_B&A?h zXcYuYK_~%B)5v?fMxO^czOsO#o1r1LwSRV)Q$!FlW8X*bJ-Fq=M{!VolxEd8AO2F9 z!)Uj|2{oyA{xaTj(qT<6Fii9Vs2mUN4B=S6SwF z7lOJe)JAJ>WiVbjhXskBz2ubc^?i5o#pz{8JBh96(uhLC?EBxbUmq%Br=Mq8Jc}6? zZzOE8HjyV+ZAZO2*6(s)aX*2(Cy-aQy5UG|Mck>j{L6cKvZ4=CzK$ z=k4b?pQ1;-G>dRof@wh~ZDWJ1dWFsY1sHpO2B%L$%ivT<3qrM#mIU*;E7CT=k&XYg zWO+wkonYIW2Ttua-pkE1^m>ACy088NN4MS^^>HD$a^>Ezmf6@1^LVsWNo#%kiLoap?lX2wQ8?$M4bYfW#U#NY*l3sg`@Z( zhnpSsa#lW3heAYmghPS?!5};!_`5k)2@ZQ*7}g<&KH3M`qCq3vuxiCbPdw`BgZwM&yu3Jj6CYMe~QV)e7O z33kHh?04^MD& zbmbk7O`y7sNC&8FgAU`Bn< z9kroBj|`=a%k5^^s@&Z(Mr+dXz!QzjT_Pq8pbQuhzFdt{`kDX{_RllV_Nd7ZskM5v z*&!tOrU4O-gR)qvN`^gm3)+Zo`oKGCqYT{phjhu_304|If)FQy${hl?A>g0fkYP7c z#4hafYHHl{cbg1=NIaI0V-lR~s>hAsvHWtuKyOQ7Mx$%)f*CK?cZb8FLAFfVRlXy; zXUM1*J>M5`3zyVv{qz6g8_c7+A!>oXUh}`%bgZ+6zrWw>>>sKo3`UGvPM7ScWoXJB zvS@u@SMq?Dp=v#s{&!AKC>{Hn>J?b-g)g@1}?p@q0H$_cC>Q4}T z`zh$rx*B{*csYpe9#Bg>`kYm`2SpTA zUC=uo5QfQcoJ^9^p3j$3YD~s9(lX_aO_OT87q6!5*ob;hdkop`R-@dbO%^d26`}qv zH?VP>+*ce+>8BX9qeLc62IM|;H72m<7}1qyymI29S7#h2(#QxOY!P48!N9@#|;U zf{4d+FWkJL2s))1J8o;wsjrQk3F*E_5Y;;Q>xUg*?D^#mpATGm)Pxc=@&fp--P0Nd zOl_eGP7fOAT(#*??g`$#`ANWpscXJ6GT0pr&_-R*A83_6fNq}`{#Fy1m>H78zIfCB zn+2#iG4DVirQe$&p0l{w!uGF#z^!X8R%INxh_)~0d6Px;3-sbt`jN-N2Oa!vQV-?E zrow;L5+z5e6XDzy>dxPW&IvfZ_Fk{bcSIcQ3Vn=b%P^@NwfrHpIq~q{s8;D!&Q;sD(|TO#28r z@$3Bh<}F#DgoVDLL*uNtXlvW$xuFwWg_w|Za8cIx4+&z^&ed@ z8G=^mNn*RGrnICgpm=lTws*CbQU9nV%EQ^44UPNhPtq^Ywqr~JQbXC z`r#k{*_Y&OtP41y5KEO98pkJ)J641rB(_gsZMj{xVVKV>lX28`3$8mzg;5HjSKg<6 zUflA^U$bP(jeoD`_gQaJ8{2g01|(ESp*1w{F_qKbI#_rnJ&Ln>W9DQ?(R*K}QEwwd zopJAm6bwk^Y{+R$E7_BWwyxa~lQ@UyPlw<8?kkc7NezU0w{0|=EZMlL?uLzRS3{&VKfKlusk{;-TQw zN2V>uVYeW1@YH*q?5r=rdHZj?|4+>8QWHZF7?p?y{RK2P|F^mkTc*_or7bun|9Q$4 zlo-3r=^&%(_c^4`?Q_I(8$bG$M%R#=Urs{%90OYGHgpu(T$s@_p*s3B?`Y6t-#CZ6 z<4qmaQeof-!iZ$f$oVS&=k%bW7xIevWs)FM5*!huG>pszrCWC#n3f<+`*5ZA^Es>Q z5JX}M3LGgJ?1Iq*JO1Fu;GN8g!rlBg{Ga%3qaZOKld16twNhWuBMS}DiOre0+XOrE z+6EQ-uS45()0z9YD&d5u6WhN!{^8cN;@Q2->w= zGUS=vmnJCO6-c#$Abo36`+nbVL=5kQPjH*0U4>>CEoiVc>VRWL6-Wo|sPbeNByC}I z9%)8JI4!L!g1S{DsEMk7ACB3VJ1As_rOWa)k6I=fIMY36>GCx)c6i``523?4h1uBc z0}e;upEJOsID{CaSN#$7@6f;99|L2i-S6b@x61A7xT*~uhtvLnuMvdG)`*sK{MFM# zgK~IBb~W87^f0s|mmv@JQv+e;^VNy#GZHx)c3-l+a{P+BAr^+I65#Yh;)1sy*Umg& z8(MLuymzkEo`ELf#%)62rn8YjqSP|K6l=lD{WSCItG*}u3cNh--08?YI%d)lOColewf1CmKzF?}nDoCS z@Q(^7cmO&(30P$MQxqXk y<}bk?435i8FZcgXTl99c=PLip!j74C1-sh5bi9dPH#a+dUVpoSh~oC)*Z&K}T6aMJ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.exe new file mode 100644 index 0000000000000000000000000000000000000000..e9add753487822039f4796fd917a1a8a848badc4 GIT binary patch literal 5120 zcmeHKUu+yl8UOYiyN*lTIM9-&O*>tu&^qZWPB^d~H|H2pPP*>x&Yd^e z+uiQ$xjqn)5q~5ekO~hK2wr%s)FP;;8bK=%0tpF4mHNn2c|n2)`Wo@j@SEA)yK@{& zpif1e^L#VkpZUITzHfHs^U8BCQ6CWD$~mbZF>AqIzwKXj$tc_WH{|ORc>} zI^C~L5)Fbf6jRTA79&G1pi96oWMaQDqX7wI+d&6iwmy3P+eC-eUw2H|;x!1&R%v58rZiFJV zfGOV!nDoR1m}&)hZ-m_SAt-&7J}X^EB+_jKqJ=IN&yLHuqDkK})K3*g^v8Y~y9{YP zVU;rX(uQbE&ph>j%-h&P`3no0)Pg4c+R7P|#`NU$)EPxy2c5onlF@O4G`5#4~Ko%ype^0=}X$K^1+3(NEHLZdY%8Q-VBXrsW&3j5B{TUaT5 z*QlB~NVgz80ysbq0}j#CfQMmA!ZQlaD_BzSSp~nWpb7XOIcolbf^7xA0XRSg-49&` zeUh?(kI=J#qx2l$N%}hAw1S^ga8c2}NZ$m#tSDbm(4rrMa*h4~DCk`}u#-j??yDxZ zFY}qUWAs!yC0a2(v%&4E$D>@nT5q{-m2dN^*fg`JPSfm)Z?{~2j+(;qL)WR%#g=2w zM>s6CR>Y~uYpq7Zthu~PTlAY7j&OF-=7r$Rn%iD?qF&JsIW%qFG{b9ME$e33;L!zK zX#7RLmyxcy;JAE)hr;o_?y8iz=zDdi(F)DzuIwTgR_Fw~neaPsT(#mdcg<}z6MJ>9 zg@}n2?PVlT@)<}ZkYC5^Nb|bOExBtltjG^jdeJc(o-ZQD5-BNFT=F6w`azk8TaLx|u;ZBV zu)~iJ1pL6kfjE*V=u+(}tj0&~I{)cderIm=Tjm?D&HUgdjw{o&!9GS>KPDq15*?Nx zGx+9LD;p2z-urGpY1;AOK}}u3M32djc0KdZmqIgG^}VHSi>pMgZ-)MhLWA6W>U-BU zI=*ilaTO}TPiu6flREahR~XAqW~Ydr*62hoo3GWUEPLFZF>~X&T6SjKte?hg%A7eh zeI`Gd&)T?TVRH(1EPg~KjgA?sOY5DZ`%IFYIo!i}xIX-;4y)*hz%|>eIOIp<8rI=3 z$jXT2-ucCAa+G(`_s}bN4=eI5>S^+x?QNIK#d6#Iz4f&*t@P^ENB$HXU6__TT|8U4 zBJjmjxb2zO%x0@1{8ni3O2`9WRPfCRA75t>oUZH}xQbu9T2YDKU(N{Z8jU0mopkVI zT1@nMo6OS(F-EJ4ez>&F)!|iF59fyM%7;s}+fNcJB=i4=A*0?(hAQePwzC#jQ#~7t zUo9MnogN~l>iphGRCLMN{5SH;cnn@D5WUq0p`^Xlm&0rWFH040i7sPSLWQ;pyaae5 zuGZ-71Mhzj+l_6fKAcbVKy~6(LcmZ|v<)&TgdPX=2Zv6N>f|e-6C_uygKL5+z&9y^ zoDVE+KR@s&e8uYwdI*k(x?r!STlh#cn(X{?RKuL;7^oU8LSGX(3mx~#vZS*R1Y(hRu zr|2{cP2zUz+Sq_Z2#IbCrtrE?b~-`7^jt8ltczqLNql z@6n&EuGYb};8rVy%>)M}1!Q5+qS0CK^Lb{2>^lVpN3K7($|uprQs;5;cmbiHISJQ90jd_m&=58>GwSdY!j< zZf0j@XWoyQ+1aPt5)LS`Du<$WughCnYHw+6v@dnK-FcH|HMBC4EXFL9EF|p2HOT@! z;lG*Sfz`iF8jN!puO6sj?EHAOo!cFcpKo8g;?SgHwjHf(aPD^khR~fLXs+x(u%LJRuivJrM-yLvlQ;Phjc7M8E+P-$VWy8!9e}7c^Ni_cZ zA9wf7%miO$q773%@L1>!z}U0|D8X|vTT3U##L zoOi8kYb2e;&9c(9WIcHyEK9d+s&v*k>r_?jZjbcWMWaf%Jr)&J7-pJX&>^VnK;8^p z)L~Py4njf);SwE8^8*E}M^vI=QS}+tHc27bR68kt#u$b*;lvnIX!5;8SVwTubi|BY zPq=fh+fo&mEARl`^Ue`K|G<|J z#EQ%K@BrfPWDXmw#XNxEC}0Rp1uSoEO|ljtEK$CYO|ap<{RE>erp#nkVq4eRuSUgg zHg_oR^vaQl7>LsIRCV4iN}>`Du!5xe=CIUDw_j4$CiX>9HY=%JTc;ul!LZcfY!lQj zmByaP%2{^y`zwAt^!h!YHSJ%Jll9K-z4zn37S=#@jAfHz&=vC=x?ZQH6WOnnx(N^q z{TX&3EzwFD%Vlf}?4o^bOAc8Fz(-aB$|1= zS`rU{Lbf=m%w6qaynl?9MSpo(1B>=8g@bjj>oeY7!>^tc?U3NvFQ{;VZ*AM*0vHy6EM+3sf+3NkopT%%v&; zS0}xPi%NS$4s_`Sp>RZ0U4d&r^=spq-2EsR_iLff2*fzJm&pW#M=2ab;y@%E6~Ni1)bOlKT$Ql1DinG5mLxL+T4y)x`@!31Uu!Msr?eF zzm3pL*Vx6d-(p}qBW@r-IlMQ57tSYG2~ZpgLb0g?@D9+SfG~q_Jz+Y5OKLp8Kg>*x zpVNI5TE?0fX}asn^)tr<{QrOE_;IZEg0mjy|Ho?dQl~fP|5NAdRE~u8&-tJ9;C~SJ zHUi$ct_3eLT%Q<|%lP$xoeun*|NqbUgR;nIxvI~5)0|W0{O^@dS@6G=M_+vz>|lT7 zVBkTArD@N`;=?^f^%b1|#aG{#esP_N{O?YR{b>1L@Q61N!2jMzm`_ONe`nKmF#$X= mo;M(@4gPly<>wOS5$puc|B@3@Bqb>thY!O&z&((D9{2~?mW{Ol literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.dll new file mode 100644 index 0000000000000000000000000000000000000000..9750f5eb5d1af0cb9cf45ed9aa5a8d5a3610b869 GIT binary patch literal 4096 zcmeHKTWl0n82)E_p@0;M6#)$nEhs46Y};*FP_gZ9sTF#myHvzA?ac1k?ZE8JI5P`f zO-%cMi9TUsOiYLmKFNcL30{cC7oSWF515$nh)*WO1bj2ZfZu;+Z*3_?e8hiy{&UWM zJOAZerei11Qv(q-qTRhqbQwLvfW-Gl3t+cC^=&JCx%SG=%gWI!J5zIpr#h~kceR3= z(JagMRb8lV(NYadO-v-!f}IuN4I9?&Dx01hCOWD#(CwRB7Avb=rw(qSp%f<0IlpdMiNw_*|6)m8O)?_0~m0j)}htG z0K5;o!n7gCzS1lj+iFFtg8`zUx~Uxgiuf7Ww-7Z^S|$3hiAZ7M13*V;&qj9eS?CTW zUl~%$me{W|(QqW(8|m#nz=oU11pW*Qb-qK?4u4OebtZk+u<{;Dn243b?L3|&2Lmo+ z=g9HV1o{Qc+gW$Wv~|oGpstLx6RqXRZKapC1aYt)c+wL%C)2|51u}}Ou3H7R!+I6srsjFwG^SZvUSwx1;YVXLxuR*#cyn4$Uq8JtW@n40 zI79_6W4orI(@4?C4*J*^deIk@5PC76*K||VXmPtRZFt5K+Mwr&f^L>lhF>pQCA(Ty z6g2mA%}Pph^TI!jyGxw4>lqcD!-grQh3gr%Rnw|4fbn$A?w@{NMvHL;Fvn1)}+O_n@g z6vAbpa5+pI#nnp{&YC6#dgU%WC32?7aF7(v__kZ2Ck!ob*`9A?yb7tZ(x~MN*LIS^ zJ!53V3U-hp;a2%U{oxq)3B)J#Q&>=LuS0DI7eDCUSb@ zKwn=D*ErVe#%+lo(WpY(!{fuL>dxF(uFi|NQDbnswY|zp7@lKlrE%=x&8(wVIVxmj zs5J4^xu1B%cOo80+JiS>Pml&COOQ`yWrBVxnMhvUdcN`Zli?%pzj0&!&aLRz9Bcew z`nZQ9krr7?JFOLpY0oaY8Ig8{V|!^F3eU#zbDaM4s%cBx`l+-m>*_LLC#%yh<;RNs zy2)deM=PQ7s0Eyvxa}rPb4)X=;7$=j?%cB8-Q6&=JlvHw9|{V;N<>@nye8xN`H(U| z&)>t+H7OH8+`%tOI_H44LsOwR>=p16(Dt!P03CHaN3LH&w3?JFi%?oxsCb@$1&=b) z4`+#=V^Uv(Z-TPOn}y!T*F_BD92F6liIGQhkn5p7>c;{R+-FKPmT73Xkf_DpjaNHT zZ3JI-K%TSbOIZuH%sP+%y$@md%AWDQ*bLi8VK*g8dPjJTb@S1P!l{A$u;y|j1 zD1wGt6W@}Y@0y*UvRT+Iz^;pLkxKRnYjZpkvVN0T!^V0= z)XuNV*n`+6RF&(t)aLT)Ew5cn>I@=!Pv$~Lq$OnTpY#xZ4bbBE7wtovc6atK&2G?!bhp9K#w4UxD5G(9b|zV~JF}g; z+b9+lF{V@~L4{IKSg|D_6%j;4DC9x!!j*j4XIu)m1_@avaCHoLE)e5f_-4*K|jJM0y_?r>bA zU1OWZJkT&80At`mZOPxZ?rmcsUfh9#=N z4vTzTRAWg+7||P~L{cQIU@qR*RGBDw5zyQ0q1*)}Bbr(Zj1k$HUx7|2BO1nk;8g-6 z-3R;-a0M{-$KRDhe=H+i><{FBt=CJZb^b_>FVD^Y7W{jw9q$P6I|ANV dApUOz*1sV@fs&;jXtq>4RZcxXJz%8={shm*hHU@< literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.exe new file mode 100644 index 0000000000000000000000000000000000000000..6b1d3d051210bfd1cad37affb9a8fce713a2985b GIT binary patch literal 5120 zcmeHKU2I%O6+U-uZylF7Kc!6^RG6&O(1!SW{S(^>cCxnDNw$q0H@k65S;@V7cf7v! z-Ft6m?z&zSp|mO>kSY}f5~}!>O)mZQB~j#q&^^i9#9b#Z{?wt5KlZ1zL|UP z?mCWe#Gm@mvz{|^e&(Dr=ggfMFFy7>brDfF+Kn4Tuc23v)A(Pb>k#*U;`M%dWzSnj zUo$Sfb+okZNEQgcCagNMEzk2qR^d!EJmz>Tf4Ru&ewCYh_x2r&O)oDHT{61pIkWqR ziMMwsLw6ckqF!+NBJS5diJqb5&=g|mQc>I(QCcAd*U`XN&_$1bfoQ+}Yxgl3sZb7f zFRO8m$ZZ*kg{pg;=p*Q|$B9aczFlBZ_=$Qi=!*$~-VFIxi2j>*05LSR);MmAG%$EK zg%ma@9a|2Aj+}tfkVEvQ;I0ov6|0I_+d8O-Hspxr+Eg?ORbBxqwiNYHnGyZAN98U> zMn_te&h0=Soyer_->2$!Vy^h$oT01$R9u_mX4V|bj*XmFoE~z4e+Kd3=ZQ{Y?IGG= zF%*thlS<=z*pzBt4qh$N4=_L_Y4F0;LLU7qpqZLG=lT`U3NYQca5vE&Mf}|uqkF)> zP|br(H$@{l>PJ&!)rej&qCQRgjHy(bu4z0^>C`@Y6jRf*LGKx9`m4sj(bzT=XISHl z8b71?kI(=toYMGJ&G|M~nI<>&XYFKAdyMk3pZ);Pvxvf=Wu^pQrFV@%P(@9B@i4)b zirt`E3hPQ4bO1O_1HgUs0Pubq(HKd^cvjqM0}s+;z@MV0fyXrdw8rzA{}6o%{G#T3R%4sK3(f}p5?Ipjsr!18U4*Ye zEnn3$fg^M>84@j8o>k-3RgZ_`Q>%e5LaXBPRldbn<+?R`YJ#R0{c6MIXQ?i2U${<% zE;O9#Y={k0X@s2eywa%E)T}md-mkAX(%HtFm6F#hZnNZsovJOiu&TUniH)|Ek|k<9 zJdZ<-Kjn7{k~!xcm#=Uk9p7uuN`&*ix8~Fu!U}IG&U0xCC)h4T+=1ij8CSS#ZRwHR zX?s~9Cw90~Fz*LV;ndb|DXIsS*KE(Z((pp3&XrI2sW`3^c1U+EjENdiu_;4dH)B&~ zoD6))gb>wr5Nn{$j@Q!WYc99d%E`1tUnKmzW7RxghK?;0R${o|g-Retrz@i`ON)&KY8elcYpofM%UbP)XfZ|w~LX{gTa9V zitJY?)%)Yml~)GF-}!P68OFW+y@o!Di9W7A-cstGM}!qD`QE~o&2=$L>%xCZ8qm8# zZG1Xz(9vCUiDOYKA2R4*tAy+qFETco9mRM4fI-Kq_NnYdc9IW`O-)P=jgMAN51qC_ zPK~cYV4tc?Rz`8)!tV&qTl|O$1|2b%7D}xxd@?T349?^!gx~+smMHJYz_pr7*z5<@ z9M+OB=&F_cZqJQBk+Ha}&ZTdlJ&U{XS#>YPpjL1fnz~vBfCg}Ib%HvNJK;((U%d9x ziOEB`*O$J3=+z1FtsnhO*_c05zAEumm3h^(HmrK1Ed7SCd0Ftlmt}lc(#IDZ1QX?5 z6I=ExPn7j$*j?8Qsue0;oK=TT9M^XSna&Z|vpCfv^3#u`^-8GKU3T~EF;03yZQ2{TsCC~-n^U-UK-spb+ zAJP31*-Gx3bFm$mhWG7|*Sr<7NWhMR_XmefkJiZ7ipNOJDnV+2Dqv%KBRG)!Z?6;0m?#5YW=HdTe_FD4(=#kE)#H=#p%}e zwE_(RZ|z)+;Fiy}8s4XL9QrDoq1N?a%k5afe;$(=N2=bc2jS}y=$iJTG8#}*XQGBx zsH1%+kI{?xI2l%$MZ;N2Ct#)1PE`3S?ABpd;4PC>2X9lozRR%>Re80(q!x-&6~!|K zBSroDxo@wts_VTBpFZl?K&``$jQ%%#5q5>D^L8IMSNrB#Pw6?c$d1&xQah=M%auV)@wTjSd7Dka&jviY literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..2ea858c6c53c2d50c34986b68bf31d5b4faa7c23 GIT binary patch literal 1412 zcmZ8he@qis9Di*ogTaa&1IB)2n3^b4E(a8PpbO9z3d--6xnyL`UGGs2u6M`X715!C zs|bli8H#}PPru*K z_w&8??!7v_Tb%}A0C=P#G`gKR-T4F=4S+<@i-;S+*2pqAHjB`MVA}%#g~}2z_o^}{ z1QkTVmUyhi3(65M$9Ydn4fg26IaFYC@*+0top{}mRX$aJENik@9zS*O$K?NhL6SsI z1^~$@k2qL^VAO$sry*DnFvq|H<#qZ=ECBWbQ!E}$#5pjT!1JaAunWy2Xug8xn`kzG zLM%bE2_a^Md*WdLV@Ax^M>FeDuXE9O{9#^veD3OSWb21Fs+hgg+pZ^h>h=i9t+f+3 zF0YyDP@hY?nmhD`HQhP5e}`q@@X5>-rm1Z1nR)Ao7tA&sGadzfX9HqL;&>?MbwgR< zL;(~M6hY<{5d~y1X(#f@jU|w^GY*HHEg(zmBt?-dq}aCn08KHZqllzvn#>PS0T%GI z5De2n2wXNGN-7uPcF`)fWFZp{=1F{50diPC3HYR&9d)x86p`qg$IGAO97G{1ZQ}$8 z+?CE2&n91Ug{uk_#OT6(oMGkm(Dk=;SE>VWMG8G%HKfA zC#p{lHv3Dzv^>(4Zd#=Y{P04xvPXpi-akdJO~AEB0PuhOL-XXwoyyZQ*{0odmzr1C z#$MYSRi*=N%LQxD=cwQJQTE{V3-`x#WlXd=D#`?p1KGoO554G|&RaYEf$fq-7u7?R zs8-eZPV5s=^F9NZTl%#8;T?ZluboE;ye)S5=Er7Ky&d)4++@tRpziC?j zo?RuZ<%F))YeE~`rT%sHLDP4huNFh68a6PCi81+0dX-D$c^JT7ULibCfHD_I(Nowg z&V8^)&D7(*b{Wzvy2gZ$Ryvh5gXS@4^#+YIXkmlaZ*-NKTNHFalOQY5opdOisEA=X z0L?O#L?y+AT8TWYkfh?Zb+mxaAnO;PYNz~?D62HXLqF_+ex;o*C@OxoQ5J(T9U=mX zwN*Q=eWsn!rnIlMi`u+)Kj-aSx$oVFmb;rJklX&VH)C2T>sVfBcra|+zH#@zuZ^Xk zyJtvEMmN<6Od``^cH_fM67`k7Dr5?Gh;rwqH)D6{jc$CrD-;EW7=CAkivFmWunHB_ zIpe9$k+O&@Qj>GKcHPoK=IrH?s@uO-{~fyb&v@f2U01pWsn6x1Bt=p1yGu}3IjE$? zeQSg^5jmzm?RX|Kle1rF?A*|Nd;7@2(mzHIFMNCJ*3tKV@5;V5HvA`HKJn8Xw3z<^ DAtk{~ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.dll new file mode 100644 index 0000000000000000000000000000000000000000..40069eeb80da2156bcbdbdf03b6e694591e9657a GIT binary patch literal 4608 zcmeHK-ES0C6hG51N|6Eup;X0z0?OCeZnvc%YDOsCPnXR4&pH&~Vbrk>G|S)eM|9pFwEQ6m>&CXEt30^T3% zh*C3UbB)!>(4|%_#(T>2wLqK*Fiy_{Kqm8y;>JjlN;Il@zL&vB#@2-nCt8PAMqP+r z^MvIDkG31#xT@R847>=u9<{!p!@iH5E@U;s7^d?#|@i zol0bh<2n}CTC}#7w$^QIxSA~BSvYEbjc6I-9Yt$S2A*l>eAWoC9=s&Y2a|LH9Zsit z_rbmdo^NB^$a8mEj)5@~rYpOb5zXhp?@Ajj5A)!8kjY389MwntFvkl@_^hD@Wn)DR zos!r~ca%l67t?CUrkhF)-In;H#4&|AF^T&mz9IQXXaOvAO1vaFXXs;S9<_BUf3xuxbQQ#Z3o$JL*3e2|9c=(ErdEmDBz8;ellY>nAESN1X6$Q?Hqmilo5W`&_DKFddKLVn4$Qn@pYUUtmKl^u zlSMxec`Z`XqBLc;;>A@o0Nxp0Ks9eKz+bC3Wsu^{rSVUO*Z5 zMm!Vih;M7_>=1EW>G0W#n-f2xK82dJ1G`d_J9KljO3&eT?L_GH%O*t$(|0YscmR93 zf#;}`5*4~KUAme2`~y<@2l;+{7i|z%)L>W&slYibMdR1R4ajbk$yi~=D~5)WiKKSi zs8|u(zW2TLKcBz->!#amqi1{ippRpd7Fk=L(DQ|~?-aa@NPEI{{4@@Z@8F2KZby2~ zvZfv5Xj(4)+iN-yo6=->!uxEQ$omtz|y~jb(lFi}BfwoWgkB%Mv<_h02kZ^My6Bs#-~I~igtkgHUx-Zc zdxZC9IVCVqU{xm%c1(On2-vh~j2x-9R=#~wkm}(2kn0pc&%r39FRLC$tO{ZZpk;!e zyN9JaaI7Hf(l1U1*MOS9Rj3E{^7skN4&WuEHDxka`Y$3|UFtk1Dj_->Ra^c;>NJmVZ{|Ic1V-%xy>VTsb+-FlhhN0m>W2y$N zczd@@HiCVQoU0f}T^qKnvdHg077ey7{CJ-NC< literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..e9a16f13ae15eef827bd83d8e1c6ad7ad25ab40d GIT binary patch literal 1260 zcmZ8hZ%hFRt z1*sij6Rb~SEey!VcBK&ywCwO<-G==U8}_}TY!oB9IqSO8is0~bHz$_vY+1V1e0mha zAdmw z3G3w9gxMCb33JaUp@g+0sA zFCE$5!9(4d1INa5m$}C6Gml+!j4)t&=a}_F(0eW-#}q+?YH=4-kswQ8D?t%tv70C* z%SabdLT)LCyo>XATzn~6?jk9Q@@c5~rwu2MINzh^T2Va!8p#i>z2g23nZwgifro2qC( z=o_gQBC3q!s7BDt9#&NdUKH^_?aGNZa0>w2@`a;MuS>1%b5H}hS;WN{ipZ)ca3*a? zGH9DYz?aie&@)ptx+q#dqsRefAJSlqpk)=B%nYNTGX?yk*e?D){dvv!U{ko_>&*Km z)5mHoVLTY9`QOl>WXunlxhY2ONdUs1{M2+|9@ zfIGE6&fRPLA@I#Y?DWp(xdkg-VQ)crf6^c?u^ntIo{HqS8i95dDl&S4#$%C1Sfwas z1@)|iSA-8sP;*gXMOHPI6JZ$bVN2a*>9oiqR6<0MqfHO!K|Q3us=uyBbyXj6&RNh? z@BBDhd(&M%{^D)=PV2ERdRoWwoi7~uc;mgfNRCbB_S${Ms*yy4zqwjvW3XFRJBnUe z+3amy#cu18MsA>X4S;@LPq^OK5WIq&OYzTI|`p<6Thb{EWj W^eOZ9#M(pq!A7%6+Ulb8)sabxB(RC-^+6-A>ik~B$(88#_>4B)J}|N>;M`ue)Hyf{K)&` z-Zz7%YKs?zsuB|Jq7qV7sf#Y!E>P4~0+k}v6;cs}4T41$h##q{gvg?svLJl-zW3}g zc3LlhcEKIrbI;#9_uO-T&hgyC8?=vz+R(3EBYFX&Y&ix0GgybX=R1Gyp+D_^?eGiQ z>}!XMtB%k^9@Mzy>9*zjL8Moh&g;JJ_vG%|UZyaAfFSX{()Fz-RGg-;c4E z@O>G*uMly^uL-G9#R2^$#=gY@tpmrdQr~@xGkJ^~px>AD88@h4lntM2_uWjiUlJc{ zBXmo=rtVm#!Xwux<0X%n#PJQ<^P0rv()+a|nGSkF!JkrZ=0?gxrGx%JztTErMf*2k zkAkm~#Q&k-oZ|da;SXj$)UvcfA1aee%5EHm1N4D*7Y$)vjplVJ_&NPc>jU+OqMka` zg}J3i8Wl48sVk#VFJK4V3Yeuk0T1AN3GY>KQo$JoA5ici1s(bk-Aoqn4l=0=Uz&7~ zh5^4p4*>Sj!+>|u2H*(24ER0z8{ibZ1^9i%F95c!$5DbyNt26egO73Ch;AcaN!sA^ z7O$MD6U|w^Rb$n%&mueE%nHL1bEq5!JhCb-E3-9L7OU3qiIcl(mUmYjn+vLSmrYQi zDI(^XQ-Lo6m!;%F-H#lP(M9e=Y}WA^SdFt^z$MWrHr$8F8{N|P*iG<=uPQ`JZs70DYFHtfRcX9o8-HTnf!mPS3!5{hh zC*jA(j=#ATY{g}^3DhuwS)RrPp77yT%vEwt6I$5a*#QRy!d<4=H}&n{3H6{chO}INt$%|Ai7Kg??Luni%hD>ceb@H z6!L|4Uzzw>{!oAJ$*ZFaU4MP>h4xt%8dZ#fyY-#V(OL-27vuBKYN zjdR!NE_|u9-l7?!vHt1~k-8`0V z)b`OQaXyM|rMc;JVn~`yC8_Pa;w>Q;a@cY3HZa)qk)H#lazr^&gwz68KyFb4y&%bJ zM3>u^Q7j`PgU=!HskV!yF{Lv|>F+pIfTONL9i$x6YR+`Ed1we&l)i`C z*7ilrJ&2c6+liBJ}zDXd=!sUl1Kd#iG$H z=B=q&(lu%~D z3+c({d5#8A_o7nWHs@z|bZb9}M%CU=V!s7q>Zw!OL4BTnlfr` z^GW7kL-&!($Bnrr5}oVVs%A4$<{AUBg^1ThB+J4*`ZH{(?=ZJub{!RLGoiuZ?6Erh zWYu}@G*E`tnAoG$k<_Y=wq*xt%&yCdW|lRWtGg188y8^I;U4ZZG6+Ni-0#udvI zELoH?GO&v`sp|vVd>LO(J_4TtQlC4J literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..5ecdf567f121d541ac174f4b67ce6232eb4a5e7c GIT binary patch literal 9400 zcma)C2|QHm`#(gRN-EmZr7Y1TA?nsO2E&-KCUr|WW)3E^nHg)ho0~0B*+q7;RFq2A zA_}FIn?!qE71gaPrBwdsojGTW<=)?aKA$mX<~-kLec$JOp64)gqL|4*G7xx8L*Mr1 zW=s866ZAwsKog)6zY( z+NNVNnf5zp%64i=XUoj0UBc;#x3%|ID9tvDi1MEimV8oWz}?}O#z}2TF-}mOU9N04 z6x>4RvUyAv!e8l!@C8gR2U*<&v3RRK z#F*i+nhqPg>#a4^GlpTk)pTPz17g7(PhZ#*fk^5QmnUShnL)4+uw)?azMd<2EMEb{ z_vN5B5Q#JcRGNXlp&lA{94@(s>VZN%m>dM!S#!s&k6=KHwj*aiByL9-o$30pgj(`^s2gtDa&>&5SeWVshbSN{;*WP4 z+5335<-3{}MR(f-4r5%HoHhCcdp_zQA=3{LV8V=R+|vQj_Mh513Tuj8`OuTkv;@0Z zYyq9iXEEI|GOZ(5<_c3 z$#Uvl7`>UVhX=YwFk;#LS4#nL$yO`qsN!9#upivzvCD`LF=7&z#X{&H`U2FU9J()` zk8p57iWb%3P!ovZx<6`Y!h`RePA z+88}KCIPc~Tn_3J8kd2v2t*EtD-`V(+`+So(=Gu#{K@sr9QXHT$9sOZy6)XIYka&p zEQH7M`2HsC1_+X0%j%m6&SblMOU1m8`1LkGyk0!^z8Z zcRx~pVVWLL@O&cKV7`P{l0sG;3JfkIbB8gGB9is$sLpKPU&E;Tv zI6esIfJ|kf{ML-8o6iTBmubgzr0!@hk_G^j6C$(-5F#9qwDC1l^=HU_V1u{cJKm}v zDzsD`t#HH7x^>c6ag>=Y8d*TCJU98Q53+G)aW1V@5BKo!?Q712Jvm%~kVzM9Um+i+ z3vnSQeJlS2LWpPjn31aWl=wns=sd%%xTB<@<{MQ!@&|g(l(0^G;59r z7gJ&7fb}83z^$to^ST`CK|8z)e1&cPJKkYeAu0$|{Fe%7vQk zXO;BVeI5tsB!ubSn^1q@S}Vve$OhPuc)7D|Dnu<^?32iUkZL^+b`zS5UHD9N8H*TD znP{Fy^AV=~`_q?24vbB|@#~o^W$VOco*jKJTP(+8#O1PZ-A#AztprBbn>IOw+^@8a zfuC30yX4X^9t@~G!sRb`1>Hb-rT5hH>cnHzk{{bOlldAa{{@WJVwkcI%fEdGz&MMb z;NBINDX0I5h}vOP&&7b^MW|vblLwC1fI|xVW^HpN=a(IH-p*f^iF4<}{=*z!gsMCM zcJ$0|G9P&U(YnC=%)DIsnfy`2W0Hwlg+&f19_0^AJwMYt&GKSc(7_o|S-ChakOQ;P zjPEEeOfdDAzp5Sr!dmry4%)my!M4`@Z&~90gjNhhM$1T$?8W(m1hWuu?&2PwaZ&3r z0RNigbK%irThrv_r~ZECPlCn;i#_4~&F>|Eq{-jmbj zD-NJb4VeRgICh- zr-UentTp~}T34FVA^_h5xGgG_!gf#`HU((z+V(Pl_QzvyRqdS{-%F$HVLpu3vMfwc zVslO(NGFQhyB`z4PErJ)(Z1SaC;G2yxb2AV5?zaiw zcVf1nUgd8oLMx#VZ-JnoHN}8!ae+psYtdtJ%5*!!rAaP$84TD0>QP6|V6gBTQ2fiC zYd_5z)G*DPqGZ@Ru;{Lo3>wVDU8AaVHUm({=Be4-U%SjS%^?f?+tbwpDkUr-F$DA3Br-L zz+lIvyi(F(*F|gvqePw*)_(X5`JwOM2_z-=i6Gt zzk!5Mm$Yd)6-TJ2AM5JN!r2F;Bsd~IzKB3lAYG19F9C?5!4>^8U$v0WIB|vs%O2oo zACTgNpdArY7>IeGa-)eT=rW6`Z-SRCBxWor^*UjxYA+?j3E}%O>4-g-DQTlF6H?oO zHJvk#E6W$R&<+`|OuT<~z4Quj;?lj*z7P|0bN-xkun4AJqnr7!?y)#icic{XZZLk{ z0>xYqcM^*^+^T)|(ESWz+Wz9D>nZbe^5IPFMmKBzEh)`Vh!p}e5dLt_hsm2|Mo zNGV(K`c76R`G~@qs;cs-@JKLPY6akqcyO!kHb6YfzfQeEOEHglesW!d{FR`Q2;8a> znkp~Ossd0W9mdSUig^~t4nE#4(|-fcG?;NXRD4XdZIKmuaL=uCY5n>G)bfwVA2xba zOu)tYvOzb9yRZCyil}`2-lN`;KlxXybJJ)vf3^1eqp3HejW1VH4OC`+KL%FAjTO}| z%exzi)m=LmPKoLwU?@BHT`0M@2^1?8TX3rnxZKZr;fbgzN~Rg+iWjvq`|$+ph~8zmE>S-oLCp=&XfVx|k?#r9?AQJmkTq4*S4;2Px+9k! z0kJjyV@EC+=((OYv47S! z-y%vawR=DifVb09z8#ZA-W^I2)x*ntPOSev(Z}Y1@$R*Ihz)ofCMKfHJtiF^ui9r=9Qab2l97 zyEhI>jHiiCV!Yu{QtSQ!;IH18xf)W>QqCTmp1RcdUG*5axM#tH%Ji#0I+h zfobYT{WHzXJ$OdO>ugYwqE!VS%WDFHGe-b>;N{7p-p}Z85*_&FIjVM)>CvKDjjoqv zp-5abR;-Uk&S}p&CHH!A?l9<{nU{ePG8Xw~%H`XBtzF(!lSFTf2H>o#3CYyBq7+ z+?G)|Di<6ySa?6}S{)B$m8Lf$YC?z-%RJ<_P=@eo6vlRB7Jpiv(+twRSUr#pT*0=U56YRW99}Z5n+3`+?R{0GO zGnXDQlKnjyZ^R_^4T%La*|_ER9T(pKph`cMb$t32O8AN_|D)@!g3+<$1& zz_cFz3(9GQUDg+7=YIT8B`i2}E@QZkL{w(x0OvU%wkx*8pClz9h*$5xeV_m2F(w3W z-J0%!g+TIqaE?8s}b40Zs{5oZYPy zww_Wu(A*Wh`96L?NSq?xrQK^aGlBk=Y|2v#)NXV7%!k8IH8Or1Eg4mrLuc|}JnD0v zx{9U+%=NFF(~T=A;ezkC3J15AkH(3_A>xN~*k)ZhfpHy(d?XvMmilAZnk?gO=v)D&0yCs48?-ouOp zi=DZ=-Apu-SfZ*r?Y!%GvvR^rb{^Flcgje}nB!x!i+dx`*6v`jo#NRL(uu3aUZ=wE z%)l%hffj)B9P`YDUr&oBbGtwG5Lz|3reT@}_CZ$`;xlp)PAX|Ey{{nZVxBITN&2kf zY@M{$U#miG@sP9_N5s>Y1@p(Y$y>UPbb!T`7C+^qMs_MCmJ$5h>ou7y9PEX*?4sR4 z@`5=WL^65|Yt zVQbdohyEss7&~;<&k_wLFlYQV&q-9r*RfXbV|WCaom2R5b+PehNeCp!O|ZaQKmg-& z4;I%SL$fP9BY@nAtB;rXKVLqjeYuQKCjuqHlC*S zOL0te^1pz_#NA=K{Cg00o3`CYXGH9?j14pozgQuE?O*VtrVv7_&_aObYeiVbB|awS zoXFj)-&a{b7A-OzGgNtI%@?4vT=`1)_z_iVq2`mSW3M#uMtj)7;wyV}ii{!a&WcnRl!?7)jzKnTVr&O#<@xSOwI>=d=VD{D$lmj_=WM*sF>+l_s3 zU6?jl-Gq6zqUmNdP{pKriB@ydLQ2xbb^+nHg>y0D;S)EaAtWEzC_CFN{YZukDbnGN zVpk4jy%eF;JS?ADQUKV#EQ;yq&grs>+KMQWLpu*kQHxuJ5w$y|&!rQ3A_JxS>Zq^y zeUD9bbg`d&?Qwr8)X0KB9JZp34-!SfG^-Regr#=X-=daGpU^i|3bw_ZOGoQ4$?W0- zgLxV3Ir8(E{R0s-l<<8a(9p>X_}Tzwqwi6mo5fb5#;xbT(mM;wx^4H9x5n&lUT-Na zht0w@l&r&`pIb#w@#B;aR9U-CHBYH3KkD39gHL@#vg~1@7Z#Dr9-5+$0H|1)^=e52Tw^c5!rFxq7nG1 zT}}Zz45`$MXYM|)_VoHRQ7mJEOm>VcX`Q^Y0IeD)BMc7g4YPeGihDG9KEmS)6woK0 z;CUqa5Z_2!+_o`xau6Zu zwr3yB&dAQoF3vueU6tLK{eCG+XYnEBN|Rf=HTQT&85VMVL#p$R)^Aut{95hWd6VHh z6G9)>Or9bGsmV@OfMjF?Cve?&$%~%xO&=keKmh-vfog(kr;9y?+u(=lL?8+T2-}?% zNED*~xZ~~%>KD3T?kH7qe#s%_Sm(GbbxZ!~bnFvn<>5H-g z_P!tBE;jjp8!iznn%V!W$l9d?p4J`-Z%EVD3wp2bP0BKR)A0QIF&Xw#fkzVE$&$;4 Gp#KA(Ao4i? literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.dll new file mode 100644 index 0000000000000000000000000000000000000000..cc1e862aed813b07061fd69d8a42815a5b945c34 GIT binary patch literal 4608 zcmeHKU2GIp6h6~GN|9Ow2}A<}<)?~{+ZGz}x9x5Vm2O+QOHs3NJG*hw6!_0c~M{=mL6%UWxx3&0)HAy~BvYEGzb*-{NlO^l}0l3ftm%9Sl!Le*mfM8irwjePUkcagQLv{_xD#E6=~ z;Rg6@8<2|Di$>HY$8~|<%wYc|%mIVXP*0O@vnc;n`jBK6pai|6Jm@9byQqX2AxsiI zfMH@QQ99x+rB@eSm(tCk_g1abd~wtV{bdsn=470q-=HL@M3b89xp`31w_Xfbz6Grc zdf~n13e$!l`%05&tV_m?K7?MP{%9QaXE?6__N|T@DWekoj65jJyaU)=*Rg^fd>m{0 zQ!n)^p(gfgW~Ua@x?|m)yIFA~nZT1U)P9`kGWr;NZcq8HVHG`=_zQ)}The|YB?lZ% z`wZv=p?-f{yybv;NOYyIf>^b?vngDIqszXryP%| z%s;X2Ds(9D^D1nw0&b%9z%BF`a2sS9@0Pev;vtFmOZ$8CM>XWi zzMwwO6Q!Ivn>PGvc3O9f!XLzSBaYba;ad4Y!xR(3^$gppogA{JY`3KQnAFXGm5STe zlu<0ZQm&#TZkHUxl+1Bq>PO|stIS6pkGTjj@7GSS0^OReOpKQ;-zW*m_l=xk8h+Jm zYS!~bNehLv&|RFB+b6pw*IL0eDNqu2+PIi9MV`YaE$`cI#7`J{(Xu_?$a@hhG8;rK z+>~%;K?P^8E{!PM@U)RZ*JjRZA%1`23tjJB9b+)Uw5CL_|2HgmX$Xh&y*MeAgn0TdryvPbE^{9{C}&@k(~! z4)`FIpf)7H!m`-aBMGwTJ>xk5Xb4sEG@{4oja6~ zF=ndHATqeb^_o-2QEG1=pZdt*gQ3Hm6g{*2w`1pj{3CPhmrvde9~%z(LmsOv*ptxL&^#!wE`J7I=WhF&e_lGy-}Ecrf_tqKgf`{vEtST-^*o|6)MM_rLm0 zVm8133bg9vLXUy(2mzfIO_42EZIP?enAO4cFt3vjIU7^}=Ng9Ls{)^VNEzT4Z=U z!}lG&IuyARzLd2Pg;|xEyXl{X44U{cbl|H+p<&o8N{hTR4$aC86_HDRj#RYc(!bG= z&%4h4MR{c^*unqH&!BF`VBd!KW$d9}l^vqHX&2#QPxveIW_!2pVr37Bo|gOFhduU? r%Mz;HL>5(?w3~OnvL@Jfwsjxw(F~};|BRmpSIs>d#C^B#Gz0$tDSUmz literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..fe47cf1aeddf36779c09dccf7278a793a7afd3f6 GIT binary patch literal 7196 zcma)>30M=?7J!3n?ueqeRa9K4VhEdn;1jZtKnP$!K~Ql>28bk?I7v|Ih9ZK13Pr_; zPe2715D*a+&}!@Uzy(pPS{0~!wenEDK59kZon&qZNnXE~@5?unne(4>?sm?(H}tST zx(UUELVSjTZzz*KImwwyQ$L_sP}YGPU+}dL6~+?J8o)P__`QKbu>qJFaUZ6@MbdaV zxTTDR&lZJICW3ok;yrs&025r7g5MX%gWq&9Mks4p{cx$>lNeTh+z(UF7d~5;ADr?h zcuZm2P$+}I6^N^S8bIC;0oTFgJ@JnCfOq8WA)v6l%)}NxsP~ddl(6PE}fT zdswnufl8=;G8qGtD$q3wQvN*Yz%<5FblYqO{oJzeZ(YngFqo8QU}7;UAi7OX1)xBQ zU%0{Iq zE)wWD>NSz)YO!><|4wd3*SYrWT}Ie287dGVV$pXf>=kHu*4;6aR#Z9ol{DO+ym4pD+!pVBXU&eCr_5bMqeUFr|8|5hXpe(_~y;PEJMK{?UGua}AGKNy zQaL6@^@Lv!<=l&ktLN1|lE3(ZF0s}M<52P(*{j&aRr^1Qsp?Zd9xMlOf{hCcBtCRZP`ao-cjc1wo9LmID{~uY7r7I z#pDW+Ks})qI3iHM#R!d9+7!{O6dv?b;Q?nWlD!IypiCl$kj=hKHinhrQs?e&<6mWa z>+tbFrJWJXAH=rBn#dL)jl=X5q+9JC=|#;C`u@W=D=vBPmm5(Kiemy)4jqP;-F(il zUfWC#+&TSbMf-ke^ z3?tkQ!<4wz`DThdtw#<$ufoj5v@u_++xP*s`l z0}|9sq4$LLb_(S!EtD&G`G$G)pwGuEuP>~G+HqucpGFuO=0Doacz3*rk^U3i%ET}Re!QqPscb-vL(-RPx=&R4+4hT_4S{%&hzDV0hj%@s| zrK`H~>H~KC{@Ah8!fTarhFDMJoBpf+$jR*wCwyAUs#L&(96qs=-i9bl(`W*NBEM7FAGfYd?o zl*!r|`DR`|Ru4l&e}svH0zoG{K=|^!L!0m4b)XlIt27(BwzRO%FCBXZ^9<4#2V^U- z#vWejD4&gvXJ&gDr6Ul9AVIsbAzG9({pP6}0q}Lq#&J^exiPuBBNffa4pM**H}TVG$OL!fNd;DL6Hv+H_;&)xd@V)!?d>BYQ~Ygdj(u zkddz3A*ElMecf+yqRlVegx;Q48rrHO9gIj&J_=@lQm0aaoH?_5WD~0>*5;Gi^XhM}{VL>*!v|aMG$k8`1!XYN+>#i^zHncDBLg~5>;`bJn9|JQR zEcexgaNBgH^~>!RvQ@c-P7_t>XyBQqRnFnlhs$*sKDtVY%C$8CBy3-0T^vxGA6#eF zmSGLqS`2StP^-dB(7!FHUAfDvA%yv!z-+$B!0H}!|ZNP`TqsIPp7 zc7MPlUt4w;u?k{pxBus#@r}k&%@DPczTWh^(|oG8mUDRMyPfB&r;db-QbLsMuw`({ z9XDz3t}lJe&Q!EtO8+azl9UdKT?zIUnwq=6`ia+eA81W_98gwE4=ZT=IgteTXdJm4 zAzKgK8OHC}`1`MmSZ6|C>`zU8;%_K#keu$5EwN2yL=R}lV%LPUSQF)wV*Yd*qcdfxb zN^{3khb~xVLHx*IgyEdU_usjHQ<7lqw4DaHrcxt~J|JBUy2`u8Ww`m*VQpWs3yNVx zfz<`E;{jn94@2=J5#jk_kz9$08G2e~-nVF0Oz~vbmYo{c;9-kE+x=>khlI%@3Z*i{ z&-peonVI{RX)5|04R@5#q``nZB3+FRw4B7h{*qmRJ@xF3V@Bv1;ehRKU&4S;)-v{A z!^if}bLEp8F3fMp)`J4TmKVol+U99y8-xYo(N!gnKGHL>+NmC1!(g_7p6bKobHn)c z3)zD3j)j-++?I0Bsq7|ix19A(&za!wJ>J|^A%iTAuVFfl7QhjHbO z-*-!3abnzoK)H5r26^W4789#K{R6kJzfzrf+|aTu`!lb=CuDS-84GT0`#jfmf+ZDT!oFMxb%eUmLDO?V zITxP(@$W-PG<{vb38_FNL*O_*Be_#W=rL^9O!~HaWt+!%&odZDb+@3JgH$p~LG*fe z+Lz_6Z~as;+iw4B_0TU`lj_)}NjD&&k`!D+BRb?c!_0$tKcq)8*KNs~K~lutm#Wv> z&`@vO$5DHSr!qI^G^Ldm=fSOOf5afpLHcufx6h#>F*m=>^>KV;IqVrV%}3*vVgxrV zDj}>?-Oo!*d+VRUk1iRt=Ee@_Z2~B8b>_u$IHJPp67y@Z!MiiBY_y%f3Fgyqt#}AH z^%1Mfak5(=Iday+UPkuUpuEGkyZ;^i?x=yGa73O62mLi^Zt?T_aoc9sbJLcblKe9B zI!ugx<}{FA_4|sXFCB6~a+^N+9*wHSGu}*x`y3rw?KbHsw7E3XGNC5w0{bMl!za%E z!4yMB)l?`rg3u$WPC4J?|B}uvdM&A3TqfiilHiCKreSD~n{M89WOf2Ct>^lnR}0qF zLkLHta&V-ivkQh3?DXRwgZ5LW@d`P=bAIN$pFk3e5wQ{tSIV>nJ+#mmmDrM%yCYy< z-h1m3zm0I4Za8y0suRw5I5PZd;-79$E16$IDh4OcLToi08ubY>NEKM5(~T330o((t zgri>Cd~GI$`vR$25TtKa>X1D{$3?Txcn7@~b}HZuBLsD}MqT8X$@hw^_f>l^_9ktk z^qy#eMK~d?DT4Y{C9sK#f0aic%C!#OXX?CaeOv2v9cTLIEKRz(w?+F>x%iD?E zJ7Ryb`;rb8$;1R8y=srBezWpNFb*l6c70DX~W!~ z>Ov}is2G%MRy@K$T)#~a+$@idM-)!*)NlC^{UU?qi9DXD?eK;xNrNUN*&I zSDLHONr(5h;zT9>Ga>)Ba3qgI=O+RCR6n^KmBfmZ{S@FIvREaNP6TpWecQKGEvg5q zSCdQI=RI#5^~Kz6dCt^3T{ow_tKjy={la00)}<{g%yaLa`~S64YgK*b^1tlu3!PlG kC^Iy$Sak3DLD^@^H}%xQ;&DB39n+WO-n1Mhbj-W*U$E$hfB*mh literal 0 HcmV?d00001