From ce7ec85766402526d4b781c7e481ca77c551e37e Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Mon, 18 Jan 2021 07:58:45 -0300 Subject: [PATCH 1/9] Enable analysis for managed binary --- .../BA2004.EnableSecureSourceCodeHashing.cs | 42 ++-- src/BinaryParsers/PEBinary/PEBinary.cs | 2 +- .../PEBinary/ProgramDatabase/Pdb.cs | 47 ++++ src/BinaryParsers/PdbFileType.cs | 26 +++ .../Expected/Binskim.linux-x64.dll.sarif | 199 ++++------------ .../Expected/Binskim.win-x64.dll.sarif | 199 ++++------------ .../Expected/Binskim.win-x86.dll.sarif | 199 ++++------------ ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 215 ++++++------------ ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 215 ++++++------------ ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 209 ++++++----------- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 215 ++++++------------ ...otNetCore_win-x64_VS2019_Default.dll.sarif | 215 ++++++------------ ...otNetCore_win-x86_VS2019_Default.dll.sarif | 209 ++++++----------- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 199 ++++------------ .../Expected/ManagedResourcesOnly.dll.sarif | 199 ++++------------ ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 201 +++++----------- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 209 ++++++----------- .../Managed_x86_VS2015_FSharp.dll.sarif | 209 ++++++----------- .../MixedMode_x64_VS2013_Default.dll.sarif | 175 +++++++------- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 213 ++++++----------- .../Fail/Managed_net48_portable_exe_sha1.exe | Bin 0 -> 5120 bytes .../Fail/Managed_net48_portable_exe_sha1.pdb | Bin 0 -> 1372 bytes .../Fail/Managed_net48_portable_sha1.dll | Bin 0 -> 4608 bytes .../Fail/Managed_net48_portable_sha1.pdb | Bin 0 -> 1224 bytes ...anaged_netcoreapp3.1_portable_exe_sha1.dll | Bin 0 -> 5120 bytes ...anaged_netcoreapp3.1_portable_exe_sha1.pdb | Bin 0 -> 9360 bytes .../Managed_netstandard2.0_portable_sha1.dll | Bin 0 -> 4608 bytes .../Managed_netstandard2.0_portable_sha1.pdb | Bin 0 -> 7156 bytes .../Managed_net48_portable_exe_sha256.exe | Bin 0 -> 5120 bytes .../Managed_net48_portable_exe_sha256.pdb | Bin 0 -> 1412 bytes .../Pass/Managed_net48_portable_sha256.dll | Bin 0 -> 4608 bytes .../Pass/Managed_net48_portable_sha256.pdb | Bin 0 -> 1260 bytes ...aged_netcoreapp3.1_portable_exe_sha256.dll | Bin 0 -> 5120 bytes ...aged_netcoreapp3.1_portable_exe_sha256.pdb | Bin 0 -> 9400 bytes ...Managed_netstandard2.0_portable_sha256.dll | Bin 0 -> 4608 bytes ...Managed_netstandard2.0_portable_sha256.pdb | Bin 0 -> 7196 bytes 36 files changed, 1111 insertions(+), 2286 deletions(-) create mode 100644 src/BinaryParsers/PdbFileType.cs create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.pdb diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index aebe9c3c7..9bdb246de 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -35,11 +35,15 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { - PE portableExecutable = target.PE; - AnalysisApplicability result = AnalysisApplicability.NotApplicableToSpecifiedTarget; + Pdb di = target.Pdb; + if (target.PE.IsManaged && (di.FileType == PdbFileType.Windows)) + { + reasonForNotAnalyzing = MetadataConditions.CouldNotLoadPdb; + return AnalysisApplicability.NotApplicableToSpecifiedTarget; + } - reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly; - if (portableExecutable.IsILOnly) { return result; } + //reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly; + //if (portableExecutable.IsILOnly) { return result; } // TODO: currently our test binary for this check is a dll that does not // compile against any external library. BinSkim regards this as a resource @@ -55,22 +59,9 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper public override void AnalyzePortableExecutableAndPdb(BinaryAnalyzerContext context) { - if (context.PEBinary().PE.IsManaged) - { - AnalyzeManagedAssemblyAndPdb(context); - return; - } - AnalyzeNativeBinaryAndPdb(context); } -#pragma warning disable IDE0060 // Remove unused parameter - private void AnalyzeManagedAssemblyAndPdb(BinaryAnalyzerContext context) -#pragma warning restore IDE0060 // Remove unused parameter - { - // TODO: use DiaSymReader? - } - public void AnalyzeNativeBinaryAndPdb(BinaryAnalyzerContext context) { PEBinary target = context.PEBinary(); @@ -84,15 +75,18 @@ public void AnalyzeNativeBinaryAndPdb(BinaryAnalyzerContext context) Symbol om = omView.Value; ObjectModuleDetails omDetails = om.GetObjectModuleDetails(); - if (omDetails.Language != Language.C && - omDetails.Language != Language.Cxx) + if (!target.PE.IsManaged) { - continue; - } + if (omDetails.Language != Language.C && + omDetails.Language != Language.Cxx) + { + continue; + } - if (!omDetails.HasDebugInfo) - { - continue; + if (!omDetails.HasDebugInfo) + { + continue; + } } CompilandRecord record = om.CreateCompilandRecord(); diff --git a/src/BinaryParsers/PEBinary/PEBinary.cs b/src/BinaryParsers/PEBinary/PEBinary.cs index 9e8f18fd1..e34e36845 100644 --- a/src/BinaryParsers/PEBinary/PEBinary.cs +++ b/src/BinaryParsers/PEBinary/PEBinary.cs @@ -43,7 +43,7 @@ private Pdb LoadPdb() // We should never be required to load a PDB for a managed assembly that does // not incorporate native code, as no managed-relevant rule currently crawls // PDBs for its analysis. - Debug.Assert(!this.PE.IsManaged || this.PE.IsMixedMode); + // Debug.Assert(!this.PE.IsManaged || this.PE.IsMixedMode); Pdb pdb = null; try diff --git a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs index e544be35f..7859ad05f 100644 --- a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs +++ b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs @@ -3,6 +3,8 @@ using System; using System.Collections.Generic; +using System.Collections.Immutable; +using System.IO; using System.Runtime.InteropServices; using System.Text; using System.Threading; @@ -22,6 +24,11 @@ public sealed class Pdb : IDisposable, IDiaLoadCallback2 private StringBuilder loadTrace; private readonly Lazy globalScope; private bool restrictReferenceAndOriginalPathAccess; + private PdbFileType pdbFileType; + private const string s_windowsPdbSignature = "Microsoft C/C++ MSF 7.00\r\n\x001ADS\x0000\x0000\x0000"; + private const string s_portablePdbSignature = "BSJB"; + public static readonly ImmutableArray WindowsPdbSignature = ImmutableArray.Create(Encoding.ASCII.GetBytes(s_windowsPdbSignature)); + public static readonly ImmutableArray PortablePdbSignature = ImmutableArray.Create(Encoding.ASCII.GetBytes(s_portablePdbSignature)); /// /// Load debug info from PE or PDB, using symbolPath to help find symbols @@ -134,6 +141,46 @@ private void WindowsNativeLoadPdbUsingDia(string pePath, string symbolPath, stri public bool IsStripped => this.GlobalScope.IsStripped; + public PdbFileType FileType + { + get + { + if (this.pdbFileType != PdbFileType.Unknown) + { + return this.pdbFileType; + } + + if (Directory.Exists(PdbLocation)) + { + return PdbFileType.Unknown; + } + + int max = Math.Max(WindowsPdbSignature.Length, PortablePdbSignature.Length); + + byte[] b = new byte[max]; + + using (FileStream fs = File.OpenRead(PdbLocation)) + { + if (fs.Read(b, 0, b.Length) != b.Length) + { + return this.pdbFileType; + } + } + + Span span = b.AsSpan(); + + if (WindowsPdbSignature.AsSpan().SequenceEqual(span.Slice(0, WindowsPdbSignature.Length))) + { + this.pdbFileType = PdbFileType.Windows; + } + else if (PortablePdbSignature.AsSpan().SequenceEqual(span.Slice(0, PortablePdbSignature.Length))) + { + this.pdbFileType = PdbFileType.Portable; + } + + return this.pdbFileType; + } + } /// /// Get the list of modules in this executable diff --git a/src/BinaryParsers/PdbFileType.cs b/src/BinaryParsers/PdbFileType.cs new file mode 100644 index 000000000..2e8749a77 --- /dev/null +++ b/src/BinaryParsers/PdbFileType.cs @@ -0,0 +1,26 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +namespace Microsoft.CodeAnalysis.BinaryParsers +{ + /// + /// What is the format of a file. + /// + public enum PdbFileType + { + /// + /// Unknown format. + /// + Unknown, + + /// + /// Windows specific format. + /// + Windows, + + /// + /// Portable OS format. + /// + Portable, + } +} diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index 338e4c362..c58554b0b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.linux-x64.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -600,6 +576,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -622,9 +600,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -650,42 +625,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -709,9 +653,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -743,9 +684,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -774,9 +712,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -802,9 +737,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -833,9 +765,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -870,9 +799,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -904,9 +830,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -932,9 +855,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -966,9 +886,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -994,9 +911,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1025,9 +939,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1062,9 +973,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1090,9 +998,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1118,9 +1023,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1143,9 +1045,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1168,9 +1067,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1199,9 +1095,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1227,9 +1120,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1261,9 +1151,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1289,9 +1176,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1320,9 +1204,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1354,19 +1235,37 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.linux-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index 6f4dd27b1..e7b0f7b2d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x64.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -600,6 +576,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -622,9 +600,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -650,42 +625,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -709,9 +653,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -743,9 +684,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -774,9 +712,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -802,9 +737,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -833,9 +765,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -870,9 +799,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -904,9 +830,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -932,9 +855,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -966,9 +886,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -994,9 +911,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1025,9 +939,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1062,9 +973,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1090,9 +998,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1118,9 +1023,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1143,9 +1045,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1168,9 +1067,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1199,9 +1095,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1227,9 +1120,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1261,9 +1151,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1289,9 +1176,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1320,9 +1204,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1354,19 +1235,37 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 35b4158ba..8599c940f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x86.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -596,6 +572,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +596,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,42 +621,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -705,9 +649,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +680,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +708,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +733,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +761,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +795,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +826,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +851,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +882,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +916,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +941,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +966,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +988,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1010,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,9 +1038,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1164,9 +1063,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1094,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1119,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1147,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1172,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1200,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,19 +1231,37 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x86.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index 107c09cd1..c6cd2c125 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -600,6 +599,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -622,9 +623,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -650,42 +648,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -709,9 +676,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -743,9 +707,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -774,9 +735,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -802,9 +760,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -833,9 +788,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -870,9 +822,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -904,9 +853,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -932,9 +878,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -966,9 +909,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -994,9 +934,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1025,9 +962,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1062,9 +996,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1090,9 +1021,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1118,9 +1046,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1143,9 +1068,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1168,9 +1090,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1199,11 +1118,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1227,9 +1171,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1261,9 +1202,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1289,9 +1227,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1320,9 +1255,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1354,14 +1286,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index 2d3c71998..24d64d584 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_RTR_win-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_RTR_win-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -600,6 +599,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -622,9 +623,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -650,42 +648,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -709,9 +676,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -743,9 +707,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -774,9 +735,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -802,9 +760,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -833,9 +788,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -870,9 +822,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -904,9 +853,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -932,9 +878,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -966,9 +909,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -994,9 +934,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1025,9 +962,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1062,9 +996,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1090,9 +1021,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1118,9 +1046,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1143,9 +1068,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1168,9 +1090,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1199,11 +1118,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1227,9 +1171,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1261,9 +1202,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1289,9 +1227,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1320,9 +1255,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1354,14 +1286,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index 156219975..e57ba75df 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2015", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,8 +253,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotDisableStackProtectionForFunctions", - "image is a managed IL-only assembly" + "EnableHighEntropyVirtualAddresses", + "image will likely load as a 32-bit process" ] }, "locations": [ @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image will likely load as a 32-bit process" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,8 +301,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,7 +389,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 16, "kind": "notApplicable", "level": "none", @@ -397,7 +397,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -413,16 +413,15 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 17, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "native" ] }, "locations": [ @@ -596,6 +595,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +619,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,42 +644,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -705,9 +672,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +703,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +731,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +756,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +784,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +818,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +849,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +874,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +905,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +939,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +964,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +989,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +1011,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1033,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,11 +1061,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1164,9 +1114,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1145,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1170,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1198,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1223,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1251,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,14 +1282,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 01054fefb..5bba7bf8a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_linux-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_linux-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -600,6 +599,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -622,9 +623,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -650,42 +648,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -709,9 +676,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -743,9 +707,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -774,9 +735,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -802,9 +760,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -833,9 +788,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -870,9 +822,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -904,9 +853,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -932,9 +878,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -966,9 +909,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -994,9 +934,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1025,9 +962,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1062,9 +996,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1090,9 +1021,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1118,9 +1046,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1143,9 +1068,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1168,9 +1090,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1199,11 +1118,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1227,9 +1171,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1261,9 +1202,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1289,9 +1227,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1320,9 +1255,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1354,14 +1286,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index 26c5773ff..f2239d837 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_win-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_win-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -600,6 +599,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -622,9 +623,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -650,42 +648,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -709,9 +676,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -743,9 +707,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -774,9 +735,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -802,9 +760,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -833,9 +788,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -870,9 +822,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -904,9 +853,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -932,9 +878,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -966,9 +909,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -994,9 +934,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1025,9 +962,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1062,9 +996,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1090,9 +1021,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1118,9 +1046,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1143,9 +1068,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1168,9 +1090,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1199,11 +1118,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1227,9 +1171,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1261,9 +1202,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1289,9 +1227,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1320,9 +1255,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1354,14 +1286,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index 894c8121f..778ffaa98 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2015", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,8 +253,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotDisableStackProtectionForFunctions", - "image is a managed IL-only assembly" + "EnableHighEntropyVirtualAddresses", + "image will likely load as a 32-bit process" ] }, "locations": [ @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image will likely load as a 32-bit process" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,8 +301,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,7 +389,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 16, "kind": "notApplicable", "level": "none", @@ -397,7 +397,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -413,16 +413,15 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 17, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "native" ] }, "locations": [ @@ -596,6 +595,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +619,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,42 +644,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -705,9 +672,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +703,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +731,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +756,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +784,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +818,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +849,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +874,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +905,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +939,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +964,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +989,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +1011,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1033,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,11 +1061,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1164,9 +1114,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1145,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1170,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1198,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1223,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1251,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,14 +1282,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index 20b7b020f..58b6243cd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedInteropAssemblyForAtlTestLibrary.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -596,6 +572,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +596,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,42 +621,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -705,9 +649,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +680,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +708,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +733,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +761,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +795,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +826,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +851,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +882,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +916,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +941,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +966,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +988,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1010,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,9 +1038,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1164,9 +1063,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1094,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1119,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1147,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1172,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1200,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,19 +1231,37 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll" + } + } + } + ], + "message": { + "text": "'ManagedInteropAssemblyForAtlTestLibrary.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index a21a936e6..32d50b831 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedResourcesOnly.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -599,6 +575,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -621,9 +599,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -649,42 +624,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -708,9 +652,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -742,9 +683,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -773,9 +711,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -801,9 +736,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -832,9 +764,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -869,9 +798,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -903,9 +829,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -931,9 +854,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -965,9 +885,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -993,9 +910,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1024,9 +938,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1061,9 +972,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1089,9 +997,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1117,9 +1022,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1142,9 +1044,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1167,9 +1066,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1198,9 +1094,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1226,9 +1119,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1260,9 +1150,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1288,9 +1175,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1319,9 +1203,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1353,19 +1234,37 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll" + } + } + } + ], + "message": { + "text": "'ManagedResourcesOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index af88107c9..7b94aef49 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2024", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,7 +253,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotDisableStackProtectionForFunctions", + "EnableSpectreMitigations", "image is a managed IL-only assembly" ] }, @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,7 +301,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -389,16 +389,13 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 16, - "kind": "notApplicable", - "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "BBAD0342,unknown,0.0 (TestConsoleApp.Program)\r\n" ] }, "locations": [ @@ -593,6 +590,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -615,9 +614,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -643,42 +639,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -702,9 +667,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -736,9 +698,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -767,9 +726,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -795,9 +751,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -826,9 +779,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -863,9 +813,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -897,9 +844,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -925,9 +869,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +903,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -990,9 +928,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1018,9 +953,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1043,9 +975,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1068,9 +997,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1099,11 +1025,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1127,9 +1078,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1161,9 +1109,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1195,9 +1140,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -1223,9 +1165,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1254,9 +1193,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1282,9 +1218,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1313,9 +1246,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1347,14 +1277,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index fd7631183..86a1928f6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,27 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Warning_NativeWithInsecureStaticLibraryCompilands", + "arguments": [ + "Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "BBAD0342,unknown,0.0 (TestConsoleApp.Program)\r\n" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -596,6 +593,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +617,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,42 +642,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -705,9 +670,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +701,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +729,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +754,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +782,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +816,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +847,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +872,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +903,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +937,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +962,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +987,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +1009,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1031,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,11 +1059,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1164,9 +1112,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1143,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1168,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1196,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1221,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1249,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,14 +1280,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index c4f646b64..ecd56cd34 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x86_VS2015_FSharp.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,27 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Warning_NativeWithInsecureStaticLibraryCompilands", + "arguments": [ + "Managed_x86_VS2015_FSharp.dll", + "7581939C,unknown,0.0 (Managed_xx8_VS2015_FSharp.Class1)\r\n" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -596,6 +593,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +617,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,42 +642,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -705,9 +670,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +701,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +729,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +754,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +782,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +816,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +847,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +872,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +903,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +937,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +962,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +987,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +1009,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1031,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,11 +1059,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1164,9 +1112,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1143,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1168,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1196,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1221,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1249,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,14 +1280,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index 382c88ed3..3a7cdb29f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -265,8 +265,51 @@ ] }, { - "ruleId": "BA2005", + "ruleId": "BA2004", "ruleIndex": 11, + "message": { + "id": "Warning_NativeWithInsecureStaticLibraryCompilands", + "arguments": [ + "MixedMode_x64_VS2013_Default.dll", + "MSVCRTD.lib,cxx,18.0.20806.0 (initsect.obj,tncleanup.obj)\r\nMSVCRTD.lib,c,18.0.20806.0 (atonexit.obj,cinitexe.obj,crtdll.obj,dllmain.obj,gs_cookie.obj,gs_support.obj,loadcfg.obj,natstart.obj,pesect.obj)\r\nMSVCMRTD.lib,cxx,18.0.20806.0 (managdeh.obj,msilexit.obj,mstartup.obj,puremsilcode.obj)\r\n" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2004", + "ruleIndex": 11, + "level": "error", + "message": { + "id": "Error_NativeWithInsecureDirectCompilands", + "arguments": [ + "MixedMode_x64_VS2013_Default.dll", + "app.res,cvtres,12.0.21005.1\r\n.NETFramework,Version=v4.5.AssemblyAttributes.obj,cxx,18.0.21005.1\r\nStdafx.obj,cxx,18.0.21005.1\r\nMixedMode_x64_VS2013_Default.obj,cxx,18.0.21005.1\r\nAssemblyInfo.obj,cxx,18.0.21005.1\r\n" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -288,7 +331,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -311,7 +354,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -334,7 +377,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -356,7 +399,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -378,7 +421,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -400,7 +443,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -422,7 +465,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -444,7 +487,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -466,7 +509,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -488,7 +531,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -510,7 +553,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +577,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -558,6 +601,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -583,9 +628,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -617,9 +659,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -645,9 +684,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -676,9 +712,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -707,9 +740,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -735,9 +765,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -760,9 +787,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -785,9 +809,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -816,9 +837,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -841,9 +859,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -869,14 +884,39 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -900,9 +940,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -931,9 +968,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -965,9 +999,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -999,9 +1030,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1027,9 +1055,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -1058,9 +1083,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -1095,9 +1117,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -1129,9 +1148,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -1157,9 +1173,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -1185,9 +1198,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1216,9 +1226,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1250,9 +1257,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" }, { @@ -1284,14 +1288,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index 3c99ea65a..888a20afc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_ARM_VS2017_VB.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -460,6 +436,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 18, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "Uwp_ARM_VS2017_VB.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 19, @@ -598,6 +597,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -620,9 +621,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -648,42 +646,11 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -707,9 +674,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -741,9 +705,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -772,9 +733,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -800,9 +758,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -831,9 +786,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -868,9 +820,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -902,9 +851,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -930,9 +876,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -964,9 +907,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -995,9 +935,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1032,9 +969,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1060,9 +994,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1088,9 +1019,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1113,9 +1041,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1138,9 +1063,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1169,11 +1091,36 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { @@ -1197,9 +1144,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1231,9 +1175,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1259,9 +1200,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1287,9 +1225,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1318,9 +1253,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1352,14 +1284,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.exe new file mode 100644 index 0000000000000000000000000000000000000000..26407d01e7ba734726c479223f4e8ba92721dfe0 GIT binary patch literal 5120 zcmeHKU2I%O6+UWkt`5?MVM7)nV#o|ti+k9dCc+H>~fw}eVb=`db$T<(<^gC7mYUh=#SUm zOT68rG~I2C5Osmm9dW<+74!^k3QZw~E)~U%5p^o0U>6O11#PtP0?`ru*X(05QlW9! zT~^~MqGH2HEL7bF(dW>ee2A!^=sN`#g`cQ*fqpC@&}Txv6QaLz7Z5{JYmMW^NCSiS zjF7?trDL1Ipd}}uG)y7-jNq;hMHQ=xS=&0Qh$c)Coo`an$W?g-sMu1}K}AONPKU}} zij0=DDxEulZW>IdzIs^IZSZ{l@$-hV0#I>n=Q1Oi>_~R>wBmG-3;bJ%`=3L8vGxG1 zKOYLmt4O8s5;mpUm;I}G`Y8seB=uidU6@7x3TUS0o_GBcXa$&VTsTH_ND==svUD#P z7^-=Y>85BzN4;ojtQygeji~RW9wV3Pq{|vlQz~_s3YgkS4!v)5(qA>cp|NQw&XC6Q z8t-cUDjkD`tj5wJf=%T05XCKi3W=JK;tm6k7Dr$iTO zjy)Y>yOe4nr&(UARVr#ulQ-j6*Bt5W;Y~})t0lKyaKcvA23wdmubN`3X{BI_3J>RT zr159{RzWgn-f{UF7t-;)=Bz|G<9lVNQWIu)Tk$NHmT-c-Lc|?7uAXs;yXKA_$^Euh z1ae}9`vo(8P!~>R^R}XDV0!iDoJ%z?bgEqWgrAb*I$?|SfU;yzAIjHd$g7#yP$o_V zzG6av>MDpeP-DkyX!EkmEwygSSfMWx{;XqGJYR;6B@ z(U3=50&!sLKpkb2v|M@`UZZVyss8zpU(9uTu*c;av8yguLC3@JPfz#!ZJ)X5687h}Y%0szF$Hs@ovt#y< zRkBWv*d?=+%a(A|!s{qbTKtF>3_6}!nkzK6@5#74lQ@mX5q$6G8=_f92Ci9O!bU%; z=CFo@K{v|TUmmyLBx7+!ok>^Gc5yH6syitLwT64p)V0zF)Ta;QScp!Y#jS8DKb!xj z(Y5T}?3}v#(BMygv2^&HvN3a}xGM2Y6}j!1TV}OZlzvTEyeN3!%Obui>Ertif>Xr< z5?l03PZ#x8I7l-S*d@w8Ha+&pDT-s-xDm&Mbzk^LaOm&v)*hIA{%`O7a3j7q)mkpA zF;k=ckle44WPQdLb30sr2l^c2JY&1+9>nYG%fzPi=>LaOx;_jgy$?aGpx+xybZcQN z?BgrFTbSTP`kVVidZ$wnm%)`OqPN^OLTaM<*yOukkeAT_H1sR^!x+@uhCKBx#@ zX+McraXW)AAn~Yj8%teUXM~bpj!GC49oPAofxRkz9J51si6Gq~3$*__R%>d#ScNvR z$&7}-Sy+%{={SNtaW3llCSv1cBX1u1ka9GRaRBcEl!=(s`q$BRbT47w#9M+8Ygdb( zHAn?KHS;iv8-AqG2=fM@uQC~GT@QBLmgqlOJefE`^+r7kKNmq)vRfa*E}6-1$q z_5D0X*N``cm(2*8THhe7wAzU(Zo_UBb_L!rNmcMB)oWXheW;47wI#bpQL2)7zF?%N z|1RgvHE!q{ufU&=+SO3suqBh9)DK}7sM_wee`|$rt?#&=GmWfBog=k#>WK58c`iP< z_YEW`h7W%I`oy`Ns>`;c$I@gP*HoHu&+={D(v#`c!u-&9n#s`gY}55UKAEm_nLc;6 zr@NLTCfE^`&0Oq+7S+xEA( zNVA$VZQ%`tG?qOV literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_exe_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..3644eae6a0e7a2d8a8733d422e8ab004e414ae14 GIT binary patch literal 1372 zcmZ8hYitx%6uz_DE-kHnNU5!aSS^Ss9cSAu9STbKQI;0^+^sROVV%eAcG}sQVP>`z zt)!g=Y7A)#2Em9CHEKac+XP4`NR3G=F$PWlAU=XW{MQK52<@Nhxx2HZ;U?eQbIcWI)_DKTA2#K?G%zc_fgwmmE%1;LJd>(}^sYCt#k2nL_Ic z1!gB8B}HnIL7|flVsA)BHh|{&q(A-0oLf5o(~(5uJ2!Xm2Pb#k$O<+cP_jFBpS$@( z!KEJak-6fM|Mr|MXd1q+HV6sNs|$SF_URR~g`*)f)$+09Lo_%cs4-2Fv0l-Kbwg4W zR7JBiQ&CM?Pi|af<+HsQ{xdUnJpfMWf>8(VwYRsSe~h=W>}76+yX0zNamDi zoQq=QFGs3oN-^m*&Lol|=Ht-{O^zE#k1G(s52|^fny0dwfjv*BKZw=PRgl^xDHsLn zeI3C~;dZaT9u18)NrJ8#YL`j-L*1ON(V{Fvvof_)o#+;HeBr|JHIKP=4HdG7iu37< zF+)&wS>kQln+lGinKLJDn?5}>5=*4CBDguCnw)7zm{i{nz2dm zG|hA;4y#ankV4b9&(_WSJQO^)xNy`zk{GesFURENUs#ui#KO7R%Xfl-V|yImwcYtq zTt?h2DSMZH6Et|Q`On0?w(o=A%*DQJd4`{JrRa~_S$-+ky+%G|1u3hUvLwoiQ`V5fUz^!szyZy|qQdoZvAD}n?GWKfP<|mps1Bow(cMzy5w;ek=!W8sXqKU6K@PE;qh78R^8?>+kb zX@70(m)}1L=^Ka6toxO`qlR@;!bW~tt3l~fL1op$Dkl;j6%FnidGShb?d$7GzW(#n Nnm^XQ^3-@E`X43osdfMW literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_portable_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..75920010d2a1f327825a28fd17865c991f44f484 GIT binary patch literal 4608 zcmeHKTWl0n82+a>N`X?KA{Ui`78GnZ?RKdxUg%|8TIkJgTe)n~&hDOW2WDr+nOW#+ zGwRYrh~`dqf#O&L%VyIXbw-N4v8znS%|B5d{a$dt-iK%P8qnib8JR;Rok)B zj+RlAnrT{|nh>g!HC5eIqr)*ZW2HoB-MXs!!1PED(STA)wYk{)`PFXFE_IF4L{te5 zH_+k70V-Mt8c~hxm-v1&qk@6yEE@Psr8M;xtMcE%GZ-=p^yeO;VeWKbDNe#tnj%^Y z-ksenhH6tlf+2+)`1QOT7_0b z9q>Nn2*ZLR`$|)2Y)i(CXFwf9UHN|g*}!=Pv2P_*PH~m!<8mT}nfF1vN}gEH4(`L; zuGrx&C9uSPosNW>LM=@#&FyTsoDAT3EL8U@Q7!z9qt(ScM>o?hYuKm(kF-muo_0)@L74Y+CrGjot{6S($VNR38eu-~L{!v;53#}3_OU`HXDKy7Rew2&U zV`cV(e>L6t+* zl{Lh3lyQ@mW9SJwl+{z69(G0|>j{dAL^hq~X$!n=D>I?H`XXMZ>xxXm$c^bFD-i zA^f&=L(Ui#hBhmE?sD5B4sw$8mJ7NqJLl->nR|*dwr1uQ=8R@dPtOQm6YC^&L-&fL zv7GCPOejza1!3Yau2i#7$}q^E89YLxV%iW%4wFJj&vNqosIH|=%k}i6n`hNh>% zSawV}r}d;*CiasgoPyln0dNgF1?t0zlUPvhu@8Uxd_Fq+YyaHzC-a@ZT$-aYRZ%KS zRZ_~)*|33!)eI$-mtTrcY>nJFSE&S-%wv2k$4WN8;Ar-cW%kS_g{;=tjANZ~73i&! zr&v{J`%2rG%B9-F3T-S@NB#DKs)n1w%|v?@s&8-K-N?%IZy8^S)` z$aB#iU@g5`Xfzg$9ecMS z_WSMc4_}HNKYwD~!FjgPeIP#W;=sg3%G6G2nQYv(vQARO9bsE;97o2ra5!zdHNHYh z<5uEiTo!#Lt&p8cP^_;ryuXzKU#jxHaJ)NS{~~o|^GENLU%r`8gL{u-Ilz6Dd&?<* zKl+l%Zp(=p#-OH~{>w=Sc>q{?cQ&sfmYu0C@i>?lz!NY z{2Y|?HTWhdg}j+~dK95H^lhx}V5Gq(j(-w1W-!A01wK|5*`I*afpj7MX58FOg~p$Y zD)c#np42sA$0+jp{`?5RX9GXp9~)tR0JhW8GH1@FoQyaPuldcroTt(S_@z=9zJ_I7 z`(UNmj$h#v>}Fus!8b|13IwYh({Qi`SD0hU=bT4eIii0X+fiA|5v*e&-Yn|q6=m*z z?GviZHC$|WX(gA|u}#kDL>63`6W$p)1t_rWi72}#1w;#?KoSu-JxpOC)*bKoUQ@gbeYH9W$3(^xm!gM zyR$+~B(-9AMSq|~Qz~LYLP>13Bu%P~F>3k;Atw66Uu*(Ogkntf&UThG+~mwT_dDM? zXYRRYCQNsR%Rm`0S0$F-Xn5nWk06TxC?XD;ls%(E*17y-CM5i}iU>?xZaOxhgaAFSPW2MF5jU;yjV z+Kky{U^C`kDnUi1e+5#I^10+tWL)R>Zpw$*$zi3)jAPf3**-E!5QhH#q6; z8ojG@aC!fpCAM$d{F+72I1R4!oV9%nMlN!SqzWR`nuejK3yKW35EMZ+wGho@E9obE zOjlN*a7cX^W$p%<`xp)XDR%?FFiCBBTpdpaaqziMH2JUa{#4u7Rrf4rltBz( zK4^$yuOTR#{nM>jhZ%bYfYfI{_D_xf75j3g&i>~7LjUU6mDi?=%yqzcVb+rw2y`F$ zux|9~?BAy><_hWgBB=%}b9F~=AFmBhH$64|LH$CNMe2r#Xh*2ji6aUwK2iqeZ%zik z{W%xEaBu1T$XI^NV(*f~)h7&A0p3$soVgW`9vigH_1*e`Uq#$0$op5H2{(8@`t#zQ zzVG7S6r?YDo?#2NNSiaEj3@gHvzL)X2A|j*fK7!LdNh5A_8okDDV~>$GG-J$r{`2+!`Vvn*=6IvE zeU57RBzGeEo?T)0Iiu!qkwkZFV7tah@Kr?{YJ6#BmR}q;$19}kP-4XcA%uSdY!*Qs zS9tWn3bV$XvEX&DL3bW`?o6aj`sLS8X{{l5ZqxOLdNoCb8WNyhUCPxVrxl!K-2++j fPv=Rm>vTosX@MHN;p%y-ed1*Ibz6fUf35!m-}!lO literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netcoreapp3.1_portable_exe_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..fbbc7d02b03f8adf9d0c08d8e4dd7ee4be0df7df GIT binary patch literal 5120 zcmeHKTWnlM8UD}u5@(G~LN7`wl*zgmhbG6~I7w4uC+pZwv($DR?s_V07$Lo`v z8#8BJuc)X6f+rr*C*T29NIW1O+9E)zC>4)wB`RL1DzykIfz*qtrc!z8L(^~OoMW$R z2mBCFkvi-7&-|D9=bQhZn`a-nLLEfZiF)lC(R28!Qqc6@lQpROzxMln`t9yl_CIIL zyt2Q%>_`@hpdl=e*_Q7I5vy?~nm%)UHg&edyr9m_zP{|8iR<}kq8X!u&b|Hf-=(9y zNjd5@hKYJ0$;Q%!d+=qb1yn^CKA9LdS{lFl(i$q{s&vre4~X{Yzm0Fg#wPUf-9%?q zyFm1KcOq>6EE0VI{9o=OD!0r3Q=7%`Q?nlMXHo`VGvccez7OpJVW?`Z32wA>VML3j zkirJ1u@%s0iwQVg3P5iP?glVaSZNVe`T7!STPYBoYGZZtu!<{+!j_>fT4qFU7m)!T zb-Rc_bNzCR1iFQTy()8G&t(Py2n{+_`sOJ^dyO%!95IK@k>Qd2{mNGtxu8Em&w=kE zm%v^@9VkV@@f%WEEMkFv1>b@5C3+lfWR(UUIA5H?_ebF0RQxG7sNt&$x*HGNLbO{k z9~mQbYdojESf|6I=BVPOmY8az56W*0)mBqKVBC@ErtfI_ed^78kxsy*o1Uhh8r@Vg zJ_OBb`XZ_JKQ%3C$&Yn=A@i1zr5e4ZT`p+9aTNB@-;D#5$G8T~Go^Tv-ZuuoJ*v4M z?(4$X3XwsxncdWtF=#JnH{AxBr30XQ&|lH}HJ#A3sOdRPAJ){N7TrP?+TCPQFM67E z6CDPqOsX5WCI2XbNq&;bb!KLdVs@1@2m_ zx+ORCDdKs7>D$p(g>qo|tqnyI2`!JDn&UcAn>LAFVq_+8vGumi#5RdA>#j>cqt5*# z_~`2R>xtk?F1J-M$h4zCr1B}pYWRVS99yQM6hs^YE=pXiI5w9_>HrEk2aD`TI$OI0 zw|aryc7`}k5tjmDbP-gbU8ns}uKoIA&(iXri+^a$IWP9MUZ+lG7(E?~j4m|x?p16* z7Om0W^X$p$6MJ9Hj&_0jYJZQRk6WTU)HW?=ZoMe1a4zttS8X1u*_4+>@R&4Uw@dHv zqXz9W=cdb(Sltt0crc0N_zKoJ9Q5D3zMQ5U8M;<$4y%g}8g$Q2w+0Rz>e8ziXBURe z;~2#chZy9ViMLz!dr!PW#_YV>htHr6;+`8+cSlkb+?!C<@&6ihueIrvi8^1~%R*_Y zwDzyRy?o^#N6$R9`>CE?fBMC!@-aDDIWMsZD!lGnmo2YZkwH_~ydroQ$V##y5sPD$ z9ZsG*ZUrSdnfAp)LO@A=-xZVJ<_S#*<3R_+LUq~`K?+jaJAMnoOyBT(T zcOBnGuIxT#3`uOiyhWuqi@wLN6o}qa574B%*Kq``3sj;i=rk>$Rm2Nz4tx>xbo^SQ z7do$g9N$N=uk>y@nfSqz0Hbd%Q(ATbccFkE2j>HaPoI`>TBvd-sa|DhEl4Hw7DccN zz{Ta+&KY1efGL8N19@W`PlMWKn9|=7ya2F6DWpO4orFIRZ8b&%{>c_WT_%wc%FDx3#luQCy7TOat{w#eLAd?sS6?g^ZSc%>LLgE1R= zM3tEkIZ+X6Ad2c@VW?{w-`Pa2vaax@aaCNL!T%P{c-_on`~cXS$YInL9XzXmK%ux% z>t+~lT)av*jrZv+Zsd^YxX$+kax4)`Pp`-pB6s~hD*t%5V?(~%wn?u(|HrYDtDehN z;#bvp4i{REao-N=xcA3%=gX%L9nUctS$^Ge1D}uQT3qH%p6JW=Wyh@K9mn9pm*csn z@JFS+%sopU@*G_l8!~Eb!lZ88 z9P@E^kLPAvxZGUF)^9WuPukp2>>(0O8L4OB4)Gk$>3$ena=VEaYb)U)5&YXt;N*{Jlp_NK|X+aUv zifk2;TU|-nmr%IeL~iJR-kEczX}S0JpU-ESGjrbW^L?J@ec$JOp66ucLbXzW6d>@L zgub1~Rto|Q2?mlMpmETz=mi;lFLYvhg5PS;H~4MgZxFNwg^dN*E+PSo>n%htAxr!> zR~LwkUR#3u6jwVSBMkjMX(9UEip>MULOwmZ5%b){He*7D^7vc178CdEeuEAfN6~dZM{xc1r!kO<_E;!L zdkhqVem+D$d(lq?Xn{6*8~p^=Qc-{xycD1#KLIR|rz^Rui^^&Qw`4D+w?9h%hz_M5 zZnyCatFmuXrqF-mPS{E-Zf{Vl^c78ht2uLE+i^8|=W#GL76$bii~4a`go%wgETkYUbXLTs4pErz`jh_n#m@kJ~SYX>X>BAJM%*n2sj zEfzuoF&Djo$k>cgHe(|b19aYTxa=OP2MYCKaS>?!IwHwhpKNXAO3`<)UQcpdXH9f+ zlDk~F-4M#Gp|cnQo{;AyB9L5sU;&@NWV2CECiz-4K_L(nQ(qf+a@HzRq076JAL?BO zgTptlgkqR&1q)dW0*NO;Fraly(it!le?*#|>G(LGR{VUR6Rz8MV|1XDOzVPk6d;TI z{k=}s9==1FZ~ffpPW#|Nj2nx)(um+BKpiAv1t3C<%)Ht&4FDbfzEneHPjD<7c=Cmw z;5d~dWbg!RmM1n$FX=`+v_JuBUR*nN_0Dhf^foWfleBUBxrj(8g1Jmsz{EzXb%j2J zY80SpLZo+w&3vnhRTsyV3wNcu1Pet7hd|`>Nj$Cy2@+xB-+EO20~9b`lDPIyn*~;} zKdhpZ$1d!^##@QKywEj*4OZNHqXY~t-ee0MRlRE){)4wTb`kL*Hkia?vk?ZEeIe>l zE<-F3AY7bC)w(JI%7mcAW~H7|ZW=v&Y}`H%)vG^`f|dHzQZqCWdV=oX77I_6O;3pD zvTl|47@CeB1z^YFh()j`8=pe`{=BNtm0Bn z%v)%2)ZX;TF&UV{=W$V=(0NRRO(1f)JdtF#;0~TzlzJK9;m_`Gr+a>|I^MO$_Lg7A z)Y0)|SOkxh@%?S;Z7@jz4Tg;gt`x^ST}8_LN8N#=%a9tKSN`Zdz?eY(i3wx6h}F#c zh}XNGM30WK4nR#n_YJ}%3WK@0;~+PU-+>Is-TO^X>D$cFB^5HH%zJ19o*qh4}idYQE z_7w?Wh6pD)DX#bvkPy%Gu=Z(Pp~e@m!e*Lm!W|_KC4<0^*%dZT^9X>cu$R4Re3tH* z$(mlF^`grI*G-ObP=pIlEMVYUIdFS!4Uk}=Z`}7!+F{GMMZfhv+t5!QMS=}_q-~HM zXm(sL9;U+bKD&cJfJaBqzAWN^b#?ENCpW{}-A57NB;YX+A#U=1gM+caTeAzsCa-XA zre3JtdRE=Y;>##N7ZJ?xTaWq+*IGqsb{4>f#*aPAp+U5gdH#ul2Pt-=VArFu*iFDf zm$5_ujfKW(G#+8ve>iu$MocLgx|ie;U1 z==}lm7xnb1_WWhh^Ws z17Mu>j*#x9*Qlrej*Qx7dWDAprHfG0QXv-{uR#Y@_DtR4PRT1h;JQ_?Cd(%d}d}2<4oSL!6Sl+cDZ#nNFJ5;Pdu+iPPMrhzT?1@sLUK3 z7tDn@XvAM9O-wNL7r(9=0A$SuYj$k-S;gU!=UNN_DP21DC9f(XMGpz9fp6$C2*PsC62FY!o-X-J z8N^CC{Py(T0psjT1D9m@UbW44`Sa(DzR%YO$Bj_yIx+1QSh1HCY!&0S9JM@@yCS>) z@mM_WqMne0kOgSsCKp-q`@gpVzC|~l2N7T2p=bQlyfXi6z3r%cBbKP<*GZD2CtXl( z#$3G1=9uDsu}6LzzD0*pyTKxck1Qx8Ype1r)s$5(gB zvzCv5QE|6}(NE5o9E)Fg>I9sDwFi+-EWT_s(v~1GZT*WkO;=NND3@01iJ$5RyAFBzvY!7qI6# zsX39nU=}r0Bh<|N>uG)Yk=8-@9>8tUq!zS-BU;9BGS zpUuo8kE60NjMQ*U{`7)hxMa`|#Zl zI2>ROvJOF4q!^S2n8`fbrd(jjhM-+7x{vd%O1NtmiwY0-%dw!?K%T%4>^K2OK5J|I zV4DG^BX_p(w#&ICq(km=IVz@!d^xPs;2HA6D6kzcCH6)(cLb$T;=d_B93X$e>jY*@mR7l z>KY-X6Z%tQo(H6O;O zT(my~C`c_``lcx}gOa3jrn0hZB0Lm~rdmO`BOctT`2!%H<=vuPrzevmpP#h2s&swF zPy}w(5KT4aWmW>H=`yBTLHSJUV+S5@Rp`BqM;gpH94b8~S~e<5Jh@5jJu zxV^OMRas{(v8rSHoC#4K1PtZq>5C4R7J*WwV)O6x0G9{Y%{dV@LESQ)ta?!|qZbdb z>ku!jvL=vOLOwVRwPw6^vgYEo_{D{iy_Bn;$RX38-N-;V)w3Lm$E;$U0*POMs zK(O|2n~NpyOunY{B#j(zjkYVWiQVZG+aamPBWXE7I#(^T6qLHcb$gfm3&@TpsjKDp zZB5eUM}T$>^Q^_sbyD+> zg@x@K9}-6qFuY3Ao=uS~vNwW_SDS6KtV>%$J`u(bi~^-2BA5v(G^wx5YTI%^L(l#6 zDyL^Hv#g`EQ#$*EL3lYW=i3ocGPA2r zEto;B6u#*+0BLZp2>5~j*@{eL7`Sy*zG|CM|9sOOeUJvH`?a`!MP(#gG|o!kjo zDnUQ7(<6QyR<$`AHoC1`5?PFzM_I~S%3;ye0&gS3|61UeD zZOsiPQSlv~-N3%M4+)p__te@&%-WDiie29}jLZ&g&k1;ZnUAEJ9;Pjf2JP<9vEy$J zWT`ra?+-bB{!oYV{{Ul}j66e^w#M88%Cz=vTkjDXZ<{k|hQ|1kXLbKW9@@ra@&bjp zfl}QDZVR3PSzZ0N_dPH>M=V@B(f_V~$KjE((8fL5ZN+1&3MV`h@=$=X3;H{@e%M8f zj`;4uJ~pFa7>>pR2Msp8pM4GE0ar;{Eut-gsIjbr0do`xuZLkAhDPzHW!d#0ysi}< z-n*~D!M-@U>9&P~()(d3)aR0Zo_x^yt-C^!sO5}&Cai4+NvwP27Qwd(?P@sMU zTCx4e#s9>Q2uM%2{gMQvz~8D%ZKg*$9*%jb^2Oy4e$wKzI@AptIe4xY^(ij`oNCkJ zT@J1Y=p$w5z0@!x(Y1gR{OEUwHTHFl9G#>;B zg83qzw*cn*1QUpCZyuT|`N*W07p(sdr05VQHQldMu{|4Zwrii>eLPtjT?$EvXTrND zRY=@_aD3mSF2M`xX%%0)3)6Bw{ihPvTn3Lhm`5U-YT3Yf&WOX(jqxW*2?*lT-FM&r zKV^)Vf_ENu_rO9R1w3hNH=IH*YG=hQ>weYwpHeoO7_1_ptxlE~i-DGPxNFUGt|bGf zM5s>dR1aTGz0_CV5xwC)en7~aBHg8(X1WEhg=}+Ay-2&F?*RE;i<#g3#Fva8gHx=4urInpIjRR!ZjI ztc&~H{t92Y8b9>c%V-?YUO!vXn82Lza;A$UkFQ}H?qPcEusWym@y0y!FS03+A=kq~ zKOq6M&%M~ZKn%?(_l^X-;|z}%2R>gxjk)sdcw;x=!U#2`XsNR9>0M92=8b*&c^1Fk z*&&{;_e)Vs^pSr7jhJ`m$x0umRY{LowTA&wc z6PNgyl6@j)w^2{Um62$P>6oD!YSmwX&ST4#!^e}fXa%}YDv!O^!3*s{2TQM<&@M8D zyfT&~X*T3+D$Lmux|@`v^ET-1Zs!#v`Ot^E`1$;PnU>_Ba`*(hx9(Oa#w^K?YN=xv z;UEEwrhM2lLa9?{uG{+%nC0c5sK7YnOAo)Ql7<+F@q`WSiVq@aJccYT<=L240>jdL zITtlH^xIT@-Ezf|I`6e7Y>;GBNts zA6stkiR-|$!SW`|v*mS-(Lj||RrB@g>*i1oUu+c;ew{M|8$5X8MqUlg12!s7^GHid zS0L?kZc^>YrmmJ7DAy0mqZQ`^v9Aha+B&m4Y@;?Is+6$yLvo{~rNWTho!aBp4n0wT z(!|RaF8ytneN}W(fYPPofpVy!34wIl3fDeJl#uCGs_2MH9IL)X&7VA`XQCWzBbmoQ z^DtTO;vkBQ{u%Ce)bJ=J*EN5bUY02>!oEu#*o1?pq!>k3 zoS&oxe#+M+XqyR*cJa*J=T+W5pT|i##wcXPD3UCcT!m=XsEjbVupi73kCWDDN& z6RMz3Ji+rw^dY{fuC#1pZs#H*^j`%KG%~Iv7;fkD1d<2g+mRq-yU+(VoQU=b(4>k( zUW*yB+&&tgz$~u=-nN^$hetNR|T)W0KzFw=1#Nl~KWv( XIB2}wR_XhoGT(PXRkM2gcnJDGU{~O5 literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..6eab6d2acc9da4d0ed15dd742b486a128b95a450 GIT binary patch literal 4608 zcmeHKU2GLa6h7NO+5#0)BoGr^DCJMw-2T`AqPFz5P^CZgUJ%Vq+P(KqZx{CNZf5sF ztA_LijBibh(HP%+F~$cHjUg%z#E@VDK4C&gOo%=h;{!4JpoCDrGrQY++oGukUkK-R z&di)SbLKl|&dh8FU!A3DBC0`|nICi<-5+U5(|;cJ`Ila{Z0 z(k)1{sOL<_aRWUobXjtA%h8j=DZS|Cg|T{dY-q9=g)5NB>a8JR=ZO0s3FnfniMf8R14xkxn#jNMGjAQ`oxEVEsmv z3hD-WLkio4B4ed-6t<=OMjcT%(Sf)f*Y9v#L5!`6YAK@=-9j8R7XAm?Qnh0x1KfqV z2U0H{&>~BW>r|(aFgg+)ZF|{pE!p7XSg7R;(N)yDfw?6WNXsestnmjDleeVhXo~Kl z&F-`uJUWm>y$S=@xqrZRv#6OcT|2mrsDV3ov<_My`oU{sOd$a{6+ZSa^zl6{tm~*r z`%S9@BIc8HOM8r(F|Cf?rZbQn)UJTvCgz_g{*B^>lE0zaTdFQ8V<}i?`}|u&hiMzN zsrHD@@^c$*!iEN%H?j6w@H*NE-bg#a*Fcx~Ud4M9A5i>=;;$%fg4dBjD`^vWGi?Wd zg8IQ*kk1A^Md!df=sftd^d)#NT>*bd$y4ApGjRj}NfATmIK}ihW#T5$py`+eksotJ z;0LCYH)X!vNQ`-|49u)8#{5aM?fyz*i?w=f)A!qG|Dc;M+2VPsFiA;~EforEu_r(# zWJ`gd9^V(mtUaB!f=Y4Plm!v=nt4{a3)+?Gy@Ep_TOst zy3T}EC`qMPHqz@BJ9QwP>te z%iX5>tFJfDU3>cbBlTKz&u`)rldf9-vNXLR*Xf(e36D{xC#8GZ*PypT9k4EqHX1{H z=~R@8yQ7dicM3@f3r*|h^CD^ao^4JKAx&tfMq8Ja$keD&t;$7QHCVI_Hy3`mJ0Mq` z$k89aesh+z!4W<;AEV6TotRw_MmlY$J zc;*+pNi0sHXs~LMgdGdt5dtI3K_xR`Q&1lMI;aES2$VbzE+KEn zYn;HS2Rl-YWtAsm(42%$o3bUcnZRYN&Bx;y)|6PayjGh+ z&gi)iMt4G=cOX!@4$#{b5qVJ93`EVwk7)<8Lc^DpK$Lkk-VKkYRb&c?A3sDo%4-VS za3trQX6-nh+zWT@|G*gL$q3eVfxLu$3o4?5Pb#d=2p&Y9B=DW8(ZaPB?_7D`i1w&G u?!mtLh+z?#Z6kU*PSwKQF3$<~8X literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_netstandard2.0_portable_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..cbf143b15c4494f1837df7fcbff56fa4e014dff4 GIT binary patch literal 7156 zcma)>30M=?_P~QI?&5;tRySOzVq_H%d_oqI009gr2yR0%KqSe;nFOV7C?X0dP;4RM zUvU9Z6c7;=s7qZRxFCvEYZYtVs=`D4T5Cn$o#fsSlDvNZd|$qq%$(mj=Wgemd&3G3 zWLYpQ81$zf_=a&<Gz;qu=x92{_=o5d1C}34XI=1g-4lj;rd=%2Gj^SAN*X{ukSyoKMdI zj~P5W2BSB)0&%TRJ>Y#`aP0%{>38%8yo0yvqL=snVs zF@B^KBN1Fv!4-X`07(nR6d>D#9%--EuRkAe%1RCV{(eC0#=4-py?Da4irx!@%kMW1 ztX-z+|9aT)FN+Ti6sG@42*j!GOFzWUopY(@twA~AjI*KpdhB7OToV&=rBsHK)01$L zk`fAr8`F#FJl%uo>O9lgo$2B{%^R1v$9j6YOI)43-JQL>oF%xIB+f;QdBr+=dN_Mw zn6r!6ODti?Fh#r?i^myk2L_>3N#)XSFcqy*g2$@krz>S@ib1Ls;03O?<_@g6yLvc- z@kF@(ohQ=`pm9^}+SSZ#` zi-A6$sp;#}YZWQnxnQ;D&GDDg6u62~VG0RGN}%NT1AwHT9fR3?M4oSPot1K^ydU#Vmh3KhOm1?7K$4oqY}#J5aivraAg_WIepU45WDn~=$HG2Lwx6M$kh zN#Y7)_V}=wdovy8hVC4mHo|Rq;xRLURWA$~1gPkd%+hQ+MV_PjYm;piv1rJx? zq*QF=sP|~0o6W)j0og&DJ5IG`Z8yV)D{-+DlS#k9QLiAwQ*R9$v$WFDzqtO+xcOVh zr|4n1l2Cw#2?+@<0}TZ~DKJii0vbodbhr9odzfrvaOt^W7gip9+{--Qy|FVK?uwo< zyn@RPd)L-SCi$9YxJke~3!`v}Kb5RNjXnoQr|9*@dxeuv`{hmcy=||NZZ)sNWOgCE z*m3EoO4|+WomXwgO#VkN!W0t;nUgQFMHXi^4E`fHW{DzuNu7u z1x3hkBjFeQ__w3u>V!4-si&Xu1%vd$B$7M@+jV8rvYgnEydy$ z1f`OSwG&!JVqz6qjL1k&yCP>>l_%?1gy3X(vUi~wltaf5*z60iG29f_S`QDqfJ*!8 z`ws=G$C|+cKx~_@i);c#9ATs&-S)e|-pu^qZ{L2k^qi+?u^9znBq7Er?G1>c%sBS5%_B&A?h zXcYuYK_~%B)5v?fMxO^czOsO#o1r1LwSRV)Q$!FlW8X*bJ-Fq=M{!VolxEd8AO2F9 z!)Uj|2{oyA{xaTj(qT<6Fii9Vs2mUN4B=S6SwF z7lOJe)JAJ>WiVbjhXskBz2ubc^?i5o#pz{8JBh96(uhLC?EBxbUmq%Br=Mq8Jc}6? zZzOE8HjyV+ZAZO2*6(s)aX*2(Cy-aQy5UG|Mck>j{L6cKvZ4=CzK$ z=k4b?pQ1;-G>dRof@wh~ZDWJ1dWFsY1sHpO2B%L$%ivT<3qrM#mIU*;E7CT=k&XYg zWO+wkonYIW2Ttua-pkE1^m>ACy088NN4MS^^>HD$a^>Ezmf6@1^LVsWNo#%kiLoap?lX2wQ8?$M4bYfW#U#NY*l3sg`@Z( zhnpSsa#lW3heAYmghPS?!5};!_`5k)2@ZQ*7}g<&KH3M`qCq3vuxiCbPdw`BgZwM&yu3Jj6CYMe~QV)e7O z33kHh?04^MD& zbmbk7O`y7sNC&8FgAU`Bn< z9kroBj|`=a%k5^^s@&Z(Mr+dXz!QzjT_Pq8pbQuhzFdt{`kDX{_RllV_Nd7ZskM5v z*&!tOrU4O-gR)qvN`^gm3)+Zo`oKGCqYT{phjhu_304|If)FQy${hl?A>g0fkYP7c z#4hafYHHl{cbg1=NIaI0V-lR~s>hAsvHWtuKyOQ7Mx$%)f*CK?cZb8FLAFfVRlXy; zXUM1*J>M5`3zyVv{qz6g8_c7+A!>oXUh}`%bgZ+6zrWw>>>sKo3`UGvPM7ScWoXJB zvS@u@SMq?Dp=v#s{&!AKC>{Hn>J?b-g)g@1}?p@q0H$_cC>Q4}T z`zh$rx*B{*csYpe9#Bg>`kYm`2SpTA zUC=uo5QfQcoJ^9^p3j$3YD~s9(lX_aO_OT87q6!5*ob;hdkop`R-@dbO%^d26`}qv zH?VP>+*ce+>8BX9qeLc62IM|;H72m<7}1qyymI29S7#h2(#QxOY!P48!N9@#|;U zf{4d+FWkJL2s))1J8o;wsjrQk3F*E_5Y;;Q>xUg*?D^#mpATGm)Pxc=@&fp--P0Nd zOl_eGP7fOAT(#*??g`$#`ANWpscXJ6GT0pr&_-R*A83_6fNq}`{#Fy1m>H78zIfCB zn+2#iG4DVirQe$&p0l{w!uGF#z^!X8R%INxh_)~0d6Px;3-sbt`jN-N2Oa!vQV-?E zrow;L5+z5e6XDzy>dxPW&IvfZ_Fk{bcSIcQ3Vn=b%P^@NwfrHpIq~q{s8;D!&Q;sD(|TO#28r z@$3Bh<}F#DgoVDLL*uNtXlvW$xuFwWg_w|Za8cIx4+&z^&ed@ z8G=^mNn*RGrnICgpm=lTws*CbQU9nV%EQ^44UPNhPtq^Ywqr~JQbXC z`r#k{*_Y&OtP41y5KEO98pkJ)J641rB(_gsZMj{xVVKV>lX28`3$8mzg;5HjSKg<6 zUflA^U$bP(jeoD`_gQaJ8{2g01|(ESp*1w{F_qKbI#_rnJ&Ln>W9DQ?(R*K}QEwwd zopJAm6bwk^Y{+R$E7_BWwyxa~lQ@UyPlw<8?kkc7NezU0w{0|=EZMlL?uLzRS3{&VKfKlusk{;-TQw zN2V>uVYeW1@YH*q?5r=rdHZj?|4+>8QWHZF7?p?y{RK2P|F^mkTc*_or7bun|9Q$4 zlo-3r=^&%(_c^4`?Q_I(8$bG$M%R#=Urs{%90OYGHgpu(T$s@_p*s3B?`Y6t-#CZ6 z<4qmaQeof-!iZ$f$oVS&=k%bW7xIevWs)FM5*!huG>pszrCWC#n3f<+`*5ZA^Es>Q z5JX}M3LGgJ?1Iq*JO1Fu;GN8g!rlBg{Ga%3qaZOKld16twNhWuBMS}DiOre0+XOrE z+6EQ-uS45()0z9YD&d5u6WhN!{^8cN;@Q2->w= zGUS=vmnJCO6-c#$Abo36`+nbVL=5kQPjH*0U4>>CEoiVc>VRWL6-Wo|sPbeNByC}I z9%)8JI4!L!g1S{DsEMk7ACB3VJ1As_rOWa)k6I=fIMY36>GCx)c6i``523?4h1uBc z0}e;upEJOsID{CaSN#$7@6f;99|L2i-S6b@x61A7xT*~uhtvLnuMvdG)`*sK{MFM# zgK~IBb~W87^f0s|mmv@JQv+e;^VNy#GZHx)c3-l+a{P+BAr^+I65#Yh;)1sy*Umg& z8(MLuymzkEo`ELf#%)62rn8YjqSP|K6l=lD{WSCItG*}u3cNh--08?YI%d)lOColewf1CmKzF?}nDoCS z@Q(^7cmO&(30P$MQxqXk y<}bk?435i8FZcgXTl99c=PLip!j74C1-sh5bi9dPH#a+dUVpoSh~oC)*Z&K}T6aMJ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.exe new file mode 100644 index 0000000000000000000000000000000000000000..6b1d3d051210bfd1cad37affb9a8fce713a2985b GIT binary patch literal 5120 zcmeHKU2I%O6+U-uZylF7Kc!6^RG6&O(1!SW{S(^>cCxnDNw$q0H@k65S;@V7cf7v! z-Ft6m?z&zSp|mO>kSY}f5~}!>O)mZQB~j#q&^^i9#9b#Z{?wt5KlZ1zL|UP z?mCWe#Gm@mvz{|^e&(Dr=ggfMFFy7>brDfF+Kn4Tuc23v)A(Pb>k#*U;`M%dWzSnj zUo$Sfb+okZNEQgcCagNMEzk2qR^d!EJmz>Tf4Ru&ewCYh_x2r&O)oDHT{61pIkWqR ziMMwsLw6ckqF!+NBJS5diJqb5&=g|mQc>I(QCcAd*U`XN&_$1bfoQ+}Yxgl3sZb7f zFRO8m$ZZ*kg{pg;=p*Q|$B9aczFlBZ_=$Qi=!*$~-VFIxi2j>*05LSR);MmAG%$EK zg%ma@9a|2Aj+}tfkVEvQ;I0ov6|0I_+d8O-Hspxr+Eg?ORbBxqwiNYHnGyZAN98U> zMn_te&h0=Soyer_->2$!Vy^h$oT01$R9u_mX4V|bj*XmFoE~z4e+Kd3=ZQ{Y?IGG= zF%*thlS<=z*pzBt4qh$N4=_L_Y4F0;LLU7qpqZLG=lT`U3NYQca5vE&Mf}|uqkF)> zP|br(H$@{l>PJ&!)rej&qCQRgjHy(bu4z0^>C`@Y6jRf*LGKx9`m4sj(bzT=XISHl z8b71?kI(=toYMGJ&G|M~nI<>&XYFKAdyMk3pZ);Pvxvf=Wu^pQrFV@%P(@9B@i4)b zirt`E3hPQ4bO1O_1HgUs0Pubq(HKd^cvjqM0}s+;z@MV0fyXrdw8rzA{}6o%{G#T3R%4sK3(f}p5?Ipjsr!18U4*Ye zEnn3$fg^M>84@j8o>k-3RgZ_`Q>%e5LaXBPRldbn<+?R`YJ#R0{c6MIXQ?i2U${<% zE;O9#Y={k0X@s2eywa%E)T}md-mkAX(%HtFm6F#hZnNZsovJOiu&TUniH)|Ek|k<9 zJdZ<-Kjn7{k~!xcm#=Uk9p7uuN`&*ix8~Fu!U}IG&U0xCC)h4T+=1ij8CSS#ZRwHR zX?s~9Cw90~Fz*LV;ndb|DXIsS*KE(Z((pp3&XrI2sW`3^c1U+EjENdiu_;4dH)B&~ zoD6))gb>wr5Nn{$j@Q!WYc99d%E`1tUnKmzW7RxghK?;0R${o|g-Retrz@i`ON)&KY8elcYpofM%UbP)XfZ|w~LX{gTa9V zitJY?)%)Yml~)GF-}!P68OFW+y@o!Di9W7A-cstGM}!qD`QE~o&2=$L>%xCZ8qm8# zZG1Xz(9vCUiDOYKA2R4*tAy+qFETco9mRM4fI-Kq_NnYdc9IW`O-)P=jgMAN51qC_ zPK~cYV4tc?Rz`8)!tV&qTl|O$1|2b%7D}xxd@?T349?^!gx~+smMHJYz_pr7*z5<@ z9M+OB=&F_cZqJQBk+Ha}&ZTdlJ&U{XS#>YPpjL1fnz~vBfCg}Ib%HvNJK;((U%d9x ziOEB`*O$J3=+z1FtsnhO*_c05zAEumm3h^(HmrK1Ed7SCd0Ftlmt}lc(#IDZ1QX?5 z6I=ExPn7j$*j?8Qsue0;oK=TT9M^XSna&Z|vpCfv^3#u`^-8GKU3T~EF;03yZQ2{TsCC~-n^U-UK-spb+ zAJP31*-Gx3bFm$mhWG7|*Sr<7NWhMR_XmefkJiZ7ipNOJDnV+2Dqv%KBRG)!Z?6;0m?#5YW=HdTe_FD4(=#kE)#H=#p%}e zwE_(RZ|z)+;Fiy}8s4XL9QrDoq1N?a%k5afe;$(=N2=bc2jS}y=$iJTG8#}*XQGBx zsH1%+kI{?xI2l%$MZ;N2Ct#)1PE`3S?ABpd;4PC>2X9lozRR%>Re80(q!x-&6~!|K zBSroDxo@wts_VTBpFZl?K&``$jQ%%#5q5>D^L8IMSNrB#Pw6?c$d1&xQah=M%auV)@wTjSd7Dka&jviY literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_exe_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..2ea858c6c53c2d50c34986b68bf31d5b4faa7c23 GIT binary patch literal 1412 zcmZ8he@qis9Di*ogTaa&1IB)2n3^b4E(a8PpbO9z3d--6xnyL`UGGs2u6M`X715!C zs|bli8H#}PPru*K z_w&8??!7v_Tb%}A0C=P#G`gKR-T4F=4S+<@i-;S+*2pqAHjB`MVA}%#g~}2z_o^}{ z1QkTVmUyhi3(65M$9Ydn4fg26IaFYC@*+0top{}mRX$aJENik@9zS*O$K?NhL6SsI z1^~$@k2qL^VAO$sry*DnFvq|H<#qZ=ECBWbQ!E}$#5pjT!1JaAunWy2Xug8xn`kzG zLM%bE2_a^Md*WdLV@Ax^M>FeDuXE9O{9#^veD3OSWb21Fs+hgg+pZ^h>h=i9t+f+3 zF0YyDP@hY?nmhD`HQhP5e}`q@@X5>-rm1Z1nR)Ao7tA&sGadzfX9HqL;&>?MbwgR< zL;(~M6hY<{5d~y1X(#f@jU|w^GY*HHEg(zmBt?-dq}aCn08KHZqllzvn#>PS0T%GI z5De2n2wXNGN-7uPcF`)fWFZp{=1F{50diPC3HYR&9d)x86p`qg$IGAO97G{1ZQ}$8 z+?CE2&n91Ug{uk_#OT6(oMGkm(Dk=;SE>VWMG8G%HKfA zC#p{lHv3Dzv^>(4Zd#=Y{P04xvPXpi-akdJO~AEB0PuhOL-XXwoyyZQ*{0odmzr1C z#$MYSRi*=N%LQxD=cwQJQTE{V3-`x#WlXd=D#`?p1KGoO554G|&RaYEf$fq-7u7?R zs8-eZPV5s=^F9NZTl%#8;T?ZluboE;ye)S5=Er7Ky&d)4++@tRpziC?j zo?RuZ<%F))YeE~`rT%sHLDP4huNFh68a6PCi81+0dX-D$c^JT7ULibCfHD_I(Nowg z&V8^)&D7(*b{Wzvy2gZ$Ryvh5gXS@4^#+YIXkmlaZ*-NKTNHFalOQY5opdOisEA=X z0L?O#L?y+AT8TWYkfh?Zb+mxaAnO;PYNz~?D62HXLqF_+ex;o*C@OxoQ5J(T9U=mX zwN*Q=eWsn!rnIlMi`u+)Kj-aSx$oVFmb;rJklX&VH)C2T>sVfBcra|+zH#@zuZ^Xk zyJtvEMmN<6Od``^cH_fM67`k7Dr5?Gh;rwqH)D6{jc$CrD-;EW7=CAkivFmWunHB_ zIpe9$k+O&@Qj>GKcHPoK=IrH?s@uO-{~fyb&v@f2U01pWsn6x1Bt=p1yGu}3IjE$? zeQSg^5jmzm?RX|Kle1rF?A*|Nd;7@2(mzHIFMNCJ*3tKV@5;V5HvA`HKJn8Xw3z<^ DAtk{~ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.dll new file mode 100644 index 0000000000000000000000000000000000000000..40069eeb80da2156bcbdbdf03b6e694591e9657a GIT binary patch literal 4608 zcmeHK-ES0C6hG51N|6Eup;X0z0?OCeZnvc%YDOsCPnXR4&pH&~Vbrk>G|S)eM|9pFwEQ6m>&CXEt30^T3% zh*C3UbB)!>(4|%_#(T>2wLqK*Fiy_{Kqm8y;>JjlN;Il@zL&vB#@2-nCt8PAMqP+r z^MvIDkG31#xT@R847>=u9<{!p!@iH5E@U;s7^d?#|@i zol0bh<2n}CTC}#7w$^QIxSA~BSvYEbjc6I-9Yt$S2A*l>eAWoC9=s&Y2a|LH9Zsit z_rbmdo^NB^$a8mEj)5@~rYpOb5zXhp?@Ajj5A)!8kjY389MwntFvkl@_^hD@Wn)DR zos!r~ca%l67t?CUrkhF)-In;H#4&|AF^T&mz9IQXXaOvAO1vaFXXs;S9<_BUf3xuxbQQ#Z3o$JL*3e2|9c=(ErdEmDBz8;ellY>nAESN1X6$Q?Hqmilo5W`&_DKFddKLVn4$Qn@pYUUtmKl^u zlSMxec`Z`XqBLc;;>A@o0Nxp0Ks9eKz+bC3Wsu^{rSVUO*Z5 zMm!Vih;M7_>=1EW>G0W#n-f2xK82dJ1G`d_J9KljO3&eT?L_GH%O*t$(|0YscmR93 zf#;}`5*4~KUAme2`~y<@2l;+{7i|z%)L>W&slYibMdR1R4ajbk$yi~=D~5)WiKKSi zs8|u(zW2TLKcBz->!#amqi1{ippRpd7Fk=L(DQ|~?-aa@NPEI{{4@@Z@8F2KZby2~ zvZfv5Xj(4)+iN-yo6=->!uxEQ$omtz|y~jb(lFi}BfwoWgkB%Mv<_h02kZ^My6Bs#-~I~igtkgHUx-Zc zdxZC9IVCVqU{xm%c1(On2-vh~j2x-9R=#~wkm}(2kn0pc&%r39FRLC$tO{ZZpk;!e zyN9JaaI7Hf(l1U1*MOS9Rj3E{^7skN4&WuEHDxka`Y$3|UFtk1Dj_->Ra^c;>NJmVZ{|Ic1V-%xy>VTsb+-FlhhN0m>W2y$N zczd@@HiCVQoU0f}T^qKnvdHg077ey7{CJ-NC< literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_portable_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..e9a16f13ae15eef827bd83d8e1c6ad7ad25ab40d GIT binary patch literal 1260 zcmZ8hZ%hFRt z1*sij6Rb~SEey!VcBK&ywCwO<-G==U8}_}TY!oB9IqSO8is0~bHz$_vY+1V1e0mha zAdmw z3G3w9gxMCb33JaUp@g+0sA zFCE$5!9(4d1INa5m$}C6Gml+!j4)t&=a}_F(0eW-#}q+?YH=4-kswQ8D?t%tv70C* z%SabdLT)LCyo>XATzn~6?jk9Q@@c5~rwu2MINzh^T2Va!8p#i>z2g23nZwgifro2qC( z=o_gQBC3q!s7BDt9#&NdUKH^_?aGNZa0>w2@`a;MuS>1%b5H}hS;WN{ipZ)ca3*a? zGH9DYz?aie&@)ptx+q#dqsRefAJSlqpk)=B%nYNTGX?yk*e?D){dvv!U{ko_>&*Km z)5mHoVLTY9`QOl>WXunlxhY2ONdUs1{M2+|9@ zfIGE6&fRPLA@I#Y?DWp(xdkg-VQ)crf6^c?u^ntIo{HqS8i95dDl&S4#$%C1Sfwas z1@)|iSA-8sP;*gXMOHPI6JZ$bVN2a*>9oiqR6<0MqfHO!K|Q3us=uyBbyXj6&RNh? z@BBDhd(&M%{^D)=PV2ERdRoWwoi7~uc;mgfNRCbB_S${Ms*yy4zqwjvW3XFRJBnUe z+3amy#cu18MsA>X4S;@LPq^OK5WIq&OYzTI|`p<6Thb{EWj W^eOZ9#M(pq!A7%6+Ulb8)sabxB(RC-^+6-A>ik~B$(88#_>4B)J}|N>;M`ue)Hyf{K)&` z-Zz7%YKs?zsuB|Jq7qV7sf#Y!E>P4~0+k}v6;cs}4T41$h##q{gvg?svLJl-zW3}g zc3LlhcEKIrbI;#9_uO-T&hgyC8?=vz+R(3EBYFX&Y&ix0GgybX=R1Gyp+D_^?eGiQ z>}!XMtB%k^9@Mzy>9*zjL8Moh&g;JJ_vG%|UZyaAfFSX{()Fz-RGg-;c4E z@O>G*uMly^uL-G9#R2^$#=gY@tpmrdQr~@xGkJ^~px>AD88@h4lntM2_uWjiUlJc{ zBXmo=rtVm#!Xwux<0X%n#PJQ<^P0rv()+a|nGSkF!JkrZ=0?gxrGx%JztTErMf*2k zkAkm~#Q&k-oZ|da;SXj$)UvcfA1aee%5EHm1N4D*7Y$)vjplVJ_&NPc>jU+OqMka` zg}J3i8Wl48sVk#VFJK4V3Yeuk0T1AN3GY>KQo$JoA5ici1s(bk-Aoqn4l=0=Uz&7~ zh5^4p4*>Sj!+>|u2H*(24ER0z8{ibZ1^9i%F95c!$5DbyNt26egO73Ch;AcaN!sA^ z7O$MD6U|w^Rb$n%&mueE%nHL1bEq5!JhCb-E3-9L7OU3qiIcl(mUmYjn+vLSmrYQi zDI(^XQ-Lo6m!;%F-H#lP(M9e=Y}WA^SdFt^z$MWrHr$8F8{N|P*iG<=uPQ`JZs70DYFHtfRcX9o8-HTnf!mPS3!5{hh zC*jA(j=#ATY{g}^3DhuwS)RrPp77yT%vEwt6I$5a*#QRy!d<4=H}&n{3H6{chO}INt$%|Ai7Kg??Luni%hD>ceb@H z6!L|4Uzzw>{!oAJ$*ZFaU4MP>h4xt%8dZ#fyY-#V(OL-27vuBKYN zjdR!NE_|u9-l7?!vHt1~k-8`0V z)b`OQaXyM|rMc;JVn~`yC8_Pa;w>Q;a@cY3HZa)qk)H#lazr^&gwz68KyFb4y&%bJ zM3>u^Q7j`PgU=!HskV!yF{Lv|>F+pIfTONL9i$x6YR+`Ed1we&l)i`C z*7ilrJ&2c6+liBJ}zDXd=!sUl1Kd#iG$H z=B=q&(lu%~D z3+c({d5#8A_o7nWHs@z|bZb9}M%CU=V!s7q>Zw!OL4BTnlfr` z^GW7kL-&!($Bnrr5}oVVs%A4$<{AUBg^1ThB+J4*`ZH{(?=ZJub{!RLGoiuZ?6Erh zWYu}@G*E`tnAoG$k<_Y=wq*xt%&yCdW|lRWtGg188y8^I;U4ZZG6+Ni-0#udvI zELoH?GO&v`sp|vVd>LO(J_4TtQlC4J literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netcoreapp3.1_portable_exe_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..5ecdf567f121d541ac174f4b67ce6232eb4a5e7c GIT binary patch literal 9400 zcma)C2|QHm`#(gRN-EmZr7Y1TA?nsO2E&-KCUr|WW)3E^nHg)ho0~0B*+q7;RFq2A zA_}FIn?!qE71gaPrBwdsojGTW<=)?aKA$mX<~-kLec$JOp64)gqL|4*G7xx8L*Mr1 zW=s866ZAwsKog)6zY( z+NNVNnf5zp%64i=XUoj0UBc;#x3%|ID9tvDi1MEimV8oWz}?}O#z}2TF-}mOU9N04 z6x>4RvUyAv!e8l!@C8gR2U*<&v3RRK z#F*i+nhqPg>#a4^GlpTk)pTPz17g7(PhZ#*fk^5QmnUShnL)4+uw)?azMd<2EMEb{ z_vN5B5Q#JcRGNXlp&lA{94@(s>VZN%m>dM!S#!s&k6=KHwj*aiByL9-o$30pgj(`^s2gtDa&>&5SeWVshbSN{;*WP4 z+5335<-3{}MR(f-4r5%HoHhCcdp_zQA=3{LV8V=R+|vQj_Mh513Tuj8`OuTkv;@0Z zYyq9iXEEI|GOZ(5<_c3 z$#Uvl7`>UVhX=YwFk;#LS4#nL$yO`qsN!9#upivzvCD`LF=7&z#X{&H`U2FU9J()` zk8p57iWb%3P!ovZx<6`Y!h`RePA z+88}KCIPc~Tn_3J8kd2v2t*EtD-`V(+`+So(=Gu#{K@sr9QXHT$9sOZy6)XIYka&p zEQH7M`2HsC1_+X0%j%m6&SblMOU1m8`1LkGyk0!^z8Z zcRx~pVVWLL@O&cKV7`P{l0sG;3JfkIbB8gGB9is$sLpKPU&E;Tv zI6esIfJ|kf{ML-8o6iTBmubgzr0!@hk_G^j6C$(-5F#9qwDC1l^=HU_V1u{cJKm}v zDzsD`t#HH7x^>c6ag>=Y8d*TCJU98Q53+G)aW1V@5BKo!?Q712Jvm%~kVzM9Um+i+ z3vnSQeJlS2LWpPjn31aWl=wns=sd%%xTB<@<{MQ!@&|g(l(0^G;59r z7gJ&7fb}83z^$to^ST`CK|8z)e1&cPJKkYeAu0$|{Fe%7vQk zXO;BVeI5tsB!ubSn^1q@S}Vve$OhPuc)7D|Dnu<^?32iUkZL^+b`zS5UHD9N8H*TD znP{Fy^AV=~`_q?24vbB|@#~o^W$VOco*jKJTP(+8#O1PZ-A#AztprBbn>IOw+^@8a zfuC30yX4X^9t@~G!sRb`1>Hb-rT5hH>cnHzk{{bOlldAa{{@WJVwkcI%fEdGz&MMb z;NBINDX0I5h}vOP&&7b^MW|vblLwC1fI|xVW^HpN=a(IH-p*f^iF4<}{=*z!gsMCM zcJ$0|G9P&U(YnC=%)DIsnfy`2W0Hwlg+&f19_0^AJwMYt&GKSc(7_o|S-ChakOQ;P zjPEEeOfdDAzp5Sr!dmry4%)my!M4`@Z&~90gjNhhM$1T$?8W(m1hWuu?&2PwaZ&3r z0RNigbK%irThrv_r~ZECPlCn;i#_4~&F>|Eq{-jmbj zD-NJb4VeRgICh- zr-UentTp~}T34FVA^_h5xGgG_!gf#`HU((z+V(Pl_QzvyRqdS{-%F$HVLpu3vMfwc zVslO(NGFQhyB`z4PErJ)(Z1SaC;G2yxb2AV5?zaiw zcVf1nUgd8oLMx#VZ-JnoHN}8!ae+psYtdtJ%5*!!rAaP$84TD0>QP6|V6gBTQ2fiC zYd_5z)G*DPqGZ@Ru;{Lo3>wVDU8AaVHUm({=Be4-U%SjS%^?f?+tbwpDkUr-F$DA3Br-L zz+lIvyi(F(*F|gvqePw*)_(X5`JwOM2_z-=i6Gt zzk!5Mm$Yd)6-TJ2AM5JN!r2F;Bsd~IzKB3lAYG19F9C?5!4>^8U$v0WIB|vs%O2oo zACTgNpdArY7>IeGa-)eT=rW6`Z-SRCBxWor^*UjxYA+?j3E}%O>4-g-DQTlF6H?oO zHJvk#E6W$R&<+`|OuT<~z4Quj;?lj*z7P|0bN-xkun4AJqnr7!?y)#icic{XZZLk{ z0>xYqcM^*^+^T)|(ESWz+Wz9D>nZbe^5IPFMmKBzEh)`Vh!p}e5dLt_hsm2|Mo zNGV(K`c76R`G~@qs;cs-@JKLPY6akqcyO!kHb6YfzfQeEOEHglesW!d{FR`Q2;8a> znkp~Ossd0W9mdSUig^~t4nE#4(|-fcG?;NXRD4XdZIKmuaL=uCY5n>G)bfwVA2xba zOu)tYvOzb9yRZCyil}`2-lN`;KlxXybJJ)vf3^1eqp3HejW1VH4OC`+KL%FAjTO}| z%exzi)m=LmPKoLwU?@BHT`0M@2^1?8TX3rnxZKZr;fbgzN~Rg+iWjvq`|$+ph~8zmE>S-oLCp=&XfVx|k?#r9?AQJmkTq4*S4;2Px+9k! z0kJjyV@EC+=((OYv47S! z-y%vawR=DifVb09z8#ZA-W^I2)x*ntPOSev(Z}Y1@$R*Ihz)ofCMKfHJtiF^ui9r=9Qab2l97 zyEhI>jHiiCV!Yu{QtSQ!;IH18xf)W>QqCTmp1RcdUG*5axM#tH%Ji#0I+h zfobYT{WHzXJ$OdO>ugYwqE!VS%WDFHGe-b>;N{7p-p}Z85*_&FIjVM)>CvKDjjoqv zp-5abR;-Uk&S}p&CHH!A?l9<{nU{ePG8Xw~%H`XBtzF(!lSFTf2H>o#3CYyBq7+ z+?G)|Di<6ySa?6}S{)B$m8Lf$YC?z-%RJ<_P=@eo6vlRB7Jpiv(+twRSUr#pT*0=U56YRW99}Z5n+3`+?R{0GO zGnXDQlKnjyZ^R_^4T%La*|_ER9T(pKph`cMb$t32O8AN_|D)@!g3+<$1& zz_cFz3(9GQUDg+7=YIT8B`i2}E@QZkL{w(x0OvU%wkx*8pClz9h*$5xeV_m2F(w3W z-J0%!g+TIqaE?8s}b40Zs{5oZYPy zww_Wu(A*Wh`96L?NSq?xrQK^aGlBk=Y|2v#)NXV7%!k8IH8Or1Eg4mrLuc|}JnD0v zx{9U+%=NFF(~T=A;ezkC3J15AkH(3_A>xN~*k)ZhfpHy(d?XvMmilAZnk?gO=v)D&0yCs48?-ouOp zi=DZ=-Apu-SfZ*r?Y!%GvvR^rb{^Flcgje}nB!x!i+dx`*6v`jo#NRL(uu3aUZ=wE z%)l%hffj)B9P`YDUr&oBbGtwG5Lz|3reT@}_CZ$`;xlp)PAX|Ey{{nZVxBITN&2kf zY@M{$U#miG@sP9_N5s>Y1@p(Y$y>UPbb!T`7C+^qMs_MCmJ$5h>ou7y9PEX*?4sR4 z@`5=WL^65|Yt zVQbdohyEss7&~;<&k_wLFlYQV&q-9r*RfXbV|WCaom2R5b+PehNeCp!O|ZaQKmg-& z4;I%SL$fP9BY@nAtB;rXKVLqjeYuQKCjuqHlC*S zOL0te^1pz_#NA=K{Cg00o3`CYXGH9?j14pozgQuE?O*VtrVv7_&_aObYeiVbB|awS zoXFj)-&a{b7A-OzGgNtI%@?4vT=`1)_z_iVq2`mSW3M#uMtj)7;wyV}ii{!a&WcnRl!?7)jzKnTVr&O#<@xSOwI>=d=VD{D$lmj_=WM*sF>+l_s3 zU6?jl-Gq6zqUmNdP{pKriB@ydLQ2xbb^+nHg>y0D;S)EaAtWEzC_CFN{YZukDbnGN zVpk4jy%eF;JS?ADQUKV#EQ;yq&grs>+KMQWLpu*kQHxuJ5w$y|&!rQ3A_JxS>Zq^y zeUD9bbg`d&?Qwr8)X0KB9JZp34-!SfG^-Regr#=X-=daGpU^i|3bw_ZOGoQ4$?W0- zgLxV3Ir8(E{R0s-l<<8a(9p>X_}Tzwqwi6mo5fb5#;xbT(mM;wx^4H9x5n&lUT-Na zht0w@l&r&`pIb#w@#B;aR9U-CHBYH3KkD39gHL@#vg~1@7Z#Dr9-5+$0H|1)^=e52Tw^c5!rFxq7nG1 zT}}Zz45`$MXYM|)_VoHRQ7mJEOm>VcX`Q^Y0IeD)BMc7g4YPeGihDG9KEmS)6woK0 z;CUqa5Z_2!+_o`xau6Zu zwr3yB&dAQoF3vueU6tLK{eCG+XYnEBN|Rf=HTQT&85VMVL#p$R)^Aut{95hWd6VHh z6G9)>Or9bGsmV@OfMjF?Cve?&$%~%xO&=keKmh-vfog(kr;9y?+u(=lL?8+T2-}?% zNED*~xZ~~%>KD3T?kH7qe#s%_Sm(GbbxZ!~bnFvn<>5H-g z_P!tBE;jjp8!iznn%V!W$l9d?p4J`-Z%EVD3wp2bP0BKR)A0QIF&Xw#fkzVE$&$;4 Gp#KA(Ao4i? literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.dll new file mode 100644 index 0000000000000000000000000000000000000000..cc1e862aed813b07061fd69d8a42815a5b945c34 GIT binary patch literal 4608 zcmeHKU2GIp6h6~GN|9Ow2}A<}<)?~{+ZGz}x9x5Vm2O+QOHs3NJG*hw6!_0c~M{=mL6%UWxx3&0)HAy~BvYEGzb*-{NlO^l}0l3ftm%9Sl!Le*mfM8irwjePUkcagQLv{_xD#E6=~ z;Rg6@8<2|Di$>HY$8~|<%wYc|%mIVXP*0O@vnc;n`jBK6pai|6Jm@9byQqX2AxsiI zfMH@QQ99x+rB@eSm(tCk_g1abd~wtV{bdsn=470q-=HL@M3b89xp`31w_Xfbz6Grc zdf~n13e$!l`%05&tV_m?K7?MP{%9QaXE?6__N|T@DWekoj65jJyaU)=*Rg^fd>m{0 zQ!n)^p(gfgW~Ua@x?|m)yIFA~nZT1U)P9`kGWr;NZcq8HVHG`=_zQ)}The|YB?lZ% z`wZv=p?-f{yybv;NOYyIf>^b?vngDIqszXryP%| z%s;X2Ds(9D^D1nw0&b%9z%BF`a2sS9@0Pev;vtFmOZ$8CM>XWi zzMwwO6Q!Ivn>PGvc3O9f!XLzSBaYba;ad4Y!xR(3^$gppogA{JY`3KQnAFXGm5STe zlu<0ZQm&#TZkHUxl+1Bq>PO|stIS6pkGTjj@7GSS0^OReOpKQ;-zW*m_l=xk8h+Jm zYS!~bNehLv&|RFB+b6pw*IL0eDNqu2+PIi9MV`YaE$`cI#7`J{(Xu_?$a@hhG8;rK z+>~%;K?P^8E{!PM@U)RZ*JjRZA%1`23tjJB9b+)Uw5CL_|2HgmX$Xh&y*MeAgn0TdryvPbE^{9{C}&@k(~! z4)`FIpf)7H!m`-aBMGwTJ>xk5Xb4sEG@{4oja6~ zF=ndHATqeb^_o-2QEG1=pZdt*gQ3Hm6g{*2w`1pj{3CPhmrvde9~%z(LmsOv*ptxL&^#!wE`J7I=WhF&e_lGy-}Ecrf_tqKgf`{vEtST-^*o|6)MM_rLm0 zVm8133bg9vLXUy(2mzfIO_42EZIP?enAO4cFt3vjIU7^}=Ng9Ls{)^VNEzT4Z=U z!}lG&IuyARzLd2Pg;|xEyXl{X44U{cbl|H+p<&o8N{hTR4$aC86_HDRj#RYc(!bG= z&%4h4MR{c^*unqH&!BF`VBd!KW$d9}l^vqHX&2#QPxveIW_!2pVr37Bo|gOFhduU? r%Mz;HL>5(?w3~OnvL@Jfwsjxw(F~};|BRmpSIs>d#C^B#Gz0$tDSUmz literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_netstandard2.0_portable_sha256.pdb new file mode 100644 index 0000000000000000000000000000000000000000..fe47cf1aeddf36779c09dccf7278a793a7afd3f6 GIT binary patch literal 7196 zcma)>30M=?7J!3n?ueqeRa9K4VhEdn;1jZtKnP$!K~Ql>28bk?I7v|Ih9ZK13Pr_; zPe2715D*a+&}!@Uzy(pPS{0~!wenEDK59kZon&qZNnXE~@5?unne(4>?sm?(H}tST zx(UUELVSjTZzz*KImwwyQ$L_sP}YGPU+}dL6~+?J8o)P__`QKbu>qJFaUZ6@MbdaV zxTTDR&lZJICW3ok;yrs&025r7g5MX%gWq&9Mks4p{cx$>lNeTh+z(UF7d~5;ADr?h zcuZm2P$+}I6^N^S8bIC;0oTFgJ@JnCfOq8WA)v6l%)}NxsP~ddl(6PE}fT zdswnufl8=;G8qGtD$q3wQvN*Yz%<5FblYqO{oJzeZ(YngFqo8QU}7;UAi7OX1)xBQ zU%0{Iq zE)wWD>NSz)YO!><|4wd3*SYrWT}Ie287dGVV$pXf>=kHu*4;6aR#Z9ol{DO+ym4pD+!pVBXU&eCr_5bMqeUFr|8|5hXpe(_~y;PEJMK{?UGua}AGKNy zQaL6@^@Lv!<=l&ktLN1|lE3(ZF0s}M<52P(*{j&aRr^1Qsp?Zd9xMlOf{hCcBtCRZP`ao-cjc1wo9LmID{~uY7r7I z#pDW+Ks})qI3iHM#R!d9+7!{O6dv?b;Q?nWlD!IypiCl$kj=hKHinhrQs?e&<6mWa z>+tbFrJWJXAH=rBn#dL)jl=X5q+9JC=|#;C`u@W=D=vBPmm5(Kiemy)4jqP;-F(il zUfWC#+&TSbMf-ke^ z3?tkQ!<4wz`DThdtw#<$ufoj5v@u_++xP*s`l z0}|9sq4$LLb_(S!EtD&G`G$G)pwGuEuP>~G+HqucpGFuO=0Doacz3*rk^U3i%ET}Re!QqPscb-vL(-RPx=&R4+4hT_4S{%&hzDV0hj%@s| zrK`H~>H~KC{@Ah8!fTarhFDMJoBpf+$jR*wCwyAUs#L&(96qs=-i9bl(`W*NBEM7FAGfYd?o zl*!r|`DR`|Ru4l&e}svH0zoG{K=|^!L!0m4b)XlIt27(BwzRO%FCBXZ^9<4#2V^U- z#vWejD4&gvXJ&gDr6Ul9AVIsbAzG9({pP6}0q}Lq#&J^exiPuBBNffa4pM**H}TVG$OL!fNd;DL6Hv+H_;&)xd@V)!?d>BYQ~Ygdj(u zkddz3A*ElMecf+yqRlVegx;Q48rrHO9gIj&J_=@lQm0aaoH?_5WD~0>*5;Gi^XhM}{VL>*!v|aMG$k8`1!XYN+>#i^zHncDBLg~5>;`bJn9|JQR zEcexgaNBgH^~>!RvQ@c-P7_t>XyBQqRnFnlhs$*sKDtVY%C$8CBy3-0T^vxGA6#eF zmSGLqS`2StP^-dB(7!FHUAfDvA%yv!z-+$B!0H}!|ZNP`TqsIPp7 zc7MPlUt4w;u?k{pxBus#@r}k&%@DPczTWh^(|oG8mUDRMyPfB&r;db-QbLsMuw`({ z9XDz3t}lJe&Q!EtO8+azl9UdKT?zIUnwq=6`ia+eA81W_98gwE4=ZT=IgteTXdJm4 zAzKgK8OHC}`1`MmSZ6|C>`zU8;%_K#keu$5EwN2yL=R}lV%LPUSQF)wV*Yd*qcdfxb zN^{3khb~xVLHx*IgyEdU_usjHQ<7lqw4DaHrcxt~J|JBUy2`u8Ww`m*VQpWs3yNVx zfz<`E;{jn94@2=J5#jk_kz9$08G2e~-nVF0Oz~vbmYo{c;9-kE+x=>khlI%@3Z*i{ z&-peonVI{RX)5|04R@5#q``nZB3+FRw4B7h{*qmRJ@xF3V@Bv1;ehRKU&4S;)-v{A z!^if}bLEp8F3fMp)`J4TmKVol+U99y8-xYo(N!gnKGHL>+NmC1!(g_7p6bKobHn)c z3)zD3j)j-++?I0Bsq7|ix19A(&za!wJ>J|^A%iTAuVFfl7QhjHbO z-*-!3abnzoK)H5r26^W4789#K{R6kJzfzrf+|aTu`!lb=CuDS-84GT0`#jfmf+ZDT!oFMxb%eUmLDO?V zITxP(@$W-PG<{vb38_FNL*O_*Be_#W=rL^9O!~HaWt+!%&odZDb+@3JgH$p~LG*fe z+Lz_6Z~as;+iw4B_0TU`lj_)}NjD&&k`!D+BRb?c!_0$tKcq)8*KNs~K~lutm#Wv> z&`@vO$5DHSr!qI^G^Ldm=fSOOf5afpLHcufx6h#>F*m=>^>KV;IqVrV%}3*vVgxrV zDj}>?-Oo!*d+VRUk1iRt=Ee@_Z2~B8b>_u$IHJPp67y@Z!MiiBY_y%f3Fgyqt#}AH z^%1Mfak5(=Iday+UPkuUpuEGkyZ;^i?x=yGa73O62mLi^Zt?T_aoc9sbJLcblKe9B zI!ugx<}{FA_4|sXFCB6~a+^N+9*wHSGu}*x`y3rw?KbHsw7E3XGNC5w0{bMl!za%E z!4yMB)l?`rg3u$WPC4J?|B}uvdM&A3TqfiilHiCKreSD~n{M89WOf2Ct>^lnR}0qF zLkLHta&V-ivkQh3?DXRwgZ5LW@d`P=bAIN$pFk3e5wQ{tSIV>nJ+#mmmDrM%yCYy< z-h1m3zm0I4Za8y0suRw5I5PZd;-79$E16$IDh4OcLToi08ubY>NEKM5(~T330o((t zgri>Cd~GI$`vR$25TtKa>X1D{$3?Txcn7@~b}HZuBLsD}MqT8X$@hw^_f>l^_9ktk z^qy#eMK~d?DT4Y{C9sK#f0aic%C!#OXX?CaeOv2v9cTLIEKRz(w?+F>x%iD?E zJ7Ryb`;rb8$;1R8y=srBezWpNFb*l6c70DX~W!~ z>Ov}is2G%MRy@K$T)#~a+$@idM-)!*)NlC^{UU?qi9DXD?eK;xNrNUN*&I zSDLHONr(5h;zT9>Ga>)Ba3qgI=O+RCR6n^KmBfmZ{S@FIvREaNP6TpWecQKGEvg5q zSCdQI=RI#5^~Kz6dCt^3T{ow_tKjy={la00)}<{g%yaLa`~S64YgK*b^1tlu3!PlG kC^Iy$Sak3DLD^@^H}%xQ;&DB39n+WO-n1Mhbj-W*U$E$hfB*mh literal 0 HcmV?d00001 From 2fb9917ac893d06a3aadb34a6323b07c56fa0619 Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Mon, 18 Jan 2021 08:25:20 -0300 Subject: [PATCH 2/9] updating sarif expected results --- .../BA2004.EnableSecureSourceCodeHashing.cs | 6 +- ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 125 ++++++------ ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 131 ++++++------- .../Managed_x64_VS2015_FSharp.exe.sarif | 94 ++------- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 94 ++------- .../Managed_x86_VS2015_FSharp.dll.sarif | 131 ++++++------- .../MixedMode_x64_VS2013_Default.dll.sarif | 145 +++++++------- .../MixedMode_x64_VS2015_Default.exe.sarif | 178 ++++++++---------- .../MixedMode_x86_VS2013_Default.exe.sarif | 176 ++++++++--------- .../MixedMode_x86_VS2015_Default.exe.sarif | 176 ++++++++--------- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 135 ++++++------- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 94 ++------- 12 files changed, 600 insertions(+), 885 deletions(-) diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index 9bdb246de..dfc73d71c 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -36,7 +36,7 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { Pdb di = target.Pdb; - if (target.PE.IsManaged && (di.FileType == PdbFileType.Windows)) + if (target.PE.IsManaged && (di?.FileType == PdbFileType.Windows)) { reasonForNotAnalyzing = MetadataConditions.CouldNotLoadPdb; return AnalysisApplicability.NotApplicableToSpecifiedTarget; @@ -59,10 +59,10 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper public override void AnalyzePortableExecutableAndPdb(BinaryAnalyzerContext context) { - AnalyzeNativeBinaryAndPdb(context); + AnalyzeBinaryAndPdb(context); } - public void AnalyzeNativeBinaryAndPdb(BinaryAnalyzerContext context) + public void AnalyzeBinaryAndPdb(BinaryAnalyzerContext context) { PEBinary target = context.PEBinary(); Pdb di = target.Pdb; diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index 7b94aef49..85b2c8d4c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "BuildWithSecureTools", - "image is a managed IL-only assembly" + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2006", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableCriticalCompilerWarnings", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2007", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableControlFlowGuard", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2008", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkImportsSectionAsExecutable", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2010", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtection", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2011", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotModifyStackProtectionCookie", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2012", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "InitializeStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2013", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotDisableStackProtectionForFunctions", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA2014", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,7 +253,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSpectreMitigations", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnablePositionIndependentExecutable", - "image is not an ELF binary" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,7 +301,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkStackAsExecutable", + "EnablePositionIndependentExecutable", "image is not an ELF binary" ] }, @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtector", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableReadOnlyRelocations", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "UseCheckedFunctionsWithGcc", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,13 +389,16 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA3030", "ruleIndex": 16, + "kind": "notApplicable", + "level": "none", "message": { - "id": "Warning_NativeWithInsecureStaticLibraryCompilands", + "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "BBAD0342,unknown,0.0 (TestConsoleApp.Program)\r\n" + "UseCheckedFunctionsWithGcc", + "image is not an ELF binary" ] }, "locations": [ @@ -644,6 +647,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1027,34 +1058,6 @@ }, "name": "UseCheckedFunctionsWithGcc" }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index 86a1928f6..86fd1eadd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -412,27 +436,6 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 17, - "message": { - "id": "Warning_NativeWithInsecureStaticLibraryCompilands", - "arguments": [ - "Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "BBAD0342,unknown,0.0 (TestConsoleApp.Program)\r\n" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -647,6 +650,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1061,34 +1092,6 @@ }, "name": "UseCheckedFunctionsWithGcc" }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index 9f7dbcf6a..b5d25bb1c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -62,7 +62,7 @@ "arguments": [ "Managed_x64_VS2015_FSharp.exe", "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ @@ -598,6 +598,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -620,9 +622,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -648,9 +647,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" @@ -659,29 +655,29 @@ { "id": "BA2004", "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." }, "messageStrings": { "Pass": { "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Warning_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, "name": "EnableSecureSourceCodeHashing" }, { @@ -707,9 +703,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -741,9 +734,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -772,9 +762,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -800,9 +787,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -831,9 +815,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -868,9 +849,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -902,9 +880,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -930,9 +905,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -958,9 +930,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -989,9 +958,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1026,9 +992,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1054,9 +1017,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1082,9 +1042,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1107,9 +1064,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1132,9 +1086,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1163,9 +1114,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1191,9 +1139,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1225,9 +1170,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1259,9 +1201,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -1287,9 +1226,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1318,9 +1254,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1352,14 +1285,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index f6f46e377..d4393f433 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -62,7 +62,7 @@ "arguments": [ "Managed_x86_VS2013_Wpf.exe", "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ @@ -596,6 +596,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +620,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,9 +645,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" @@ -657,29 +653,29 @@ { "id": "BA2004", "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." }, "messageStrings": { "Pass": { "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Warning_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, "name": "EnableSecureSourceCodeHashing" }, { @@ -705,9 +701,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +732,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +760,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +785,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +813,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +847,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +878,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +903,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +934,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +968,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +993,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +1018,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +1040,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1062,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,9 +1090,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1164,9 +1115,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1146,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1171,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1199,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1224,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1252,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,14 +1283,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index ecd56cd34..f10f237b1 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_x86_VS2015_FSharp.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -412,27 +436,6 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 17, - "message": { - "id": "Warning_NativeWithInsecureStaticLibraryCompilands", - "arguments": [ - "Managed_x86_VS2015_FSharp.dll", - "7581939C,unknown,0.0 (Managed_xx8_VS2015_FSharp.Class1)\r\n" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -647,6 +650,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1061,34 +1092,6 @@ }, "name": "UseCheckedFunctionsWithGcc" }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index 3a7cdb29f..0a740365b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -5,7 +5,7 @@ { "results": [ { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 0, "kind": "notApplicable", "level": "none", @@ -13,8 +13,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableControlFlowGuard", - "image is a mixed mode binary" + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" ] }, "locations": [ @@ -29,7 +29,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2008", "ruleIndex": 1, "kind": "notApplicable", "level": "none", @@ -37,8 +37,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image is not an executable program" + "EnableControlFlowGuard", + "image is a mixed mode binary" ] }, "locations": [ @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2016", + "ruleId": "BA2015", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "MarkImageAsNXCompatible", - "image is a 64-bit binary" + "EnableHighEntropyVirtualAddresses", + "image is not an executable program" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2018", + "ruleId": "BA2016", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,8 +85,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableSafeSEH", - "image is not a 32-bit binary" + "MarkImageAsNXCompatible", + "image is a 64-bit binary" ] }, "locations": [ @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA2018", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,8 +109,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnablePositionIndependentExecutable", - "image is not an ELF binary" + "EnableSafeSEH", + "image is not a 32-bit binary" ] }, "locations": [ @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3001", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "DoNotMarkStackAsExecutable", + "EnablePositionIndependentExecutable", "image is not an ELF binary" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3002", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableStackProtector", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3003", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableReadOnlyRelocations", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3010", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "UseCheckedFunctionsWithGcc", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -221,14 +221,16 @@ ] }, { - "ruleId": "BA2001", + "ruleId": "BA3030", "ruleIndex": 9, - "kind": "pass", + "kind": "notApplicable", "level": "none", "message": { - "id": "Pass", + "id": "NotApplicable_InvalidMetadata", "arguments": [ - "MixedMode_x64_VS2013_Default.dll" + "MixedMode_x64_VS2013_Default.dll", + "UseCheckedFunctionsWithGcc", + "image is not an ELF binary" ] }, "locations": [ @@ -243,7 +245,7 @@ ] }, { - "ruleId": "BA2002", + "ruleId": "BA2001", "ruleIndex": 10, "kind": "pass", "level": "none", @@ -265,35 +267,14 @@ ] }, { - "ruleId": "BA2004", - "ruleIndex": 11, - "message": { - "id": "Warning_NativeWithInsecureStaticLibraryCompilands", - "arguments": [ - "MixedMode_x64_VS2013_Default.dll", - "MSVCRTD.lib,cxx,18.0.20806.0 (initsect.obj,tncleanup.obj)\r\nMSVCRTD.lib,c,18.0.20806.0 (atonexit.obj,cinitexe.obj,crtdll.obj,dllmain.obj,gs_cookie.obj,gs_support.obj,loadcfg.obj,natstart.obj,pesect.obj)\r\nMSVCMRTD.lib,cxx,18.0.20806.0 (managdeh.obj,msilexit.obj,mstartup.obj,puremsilcode.obj)\r\n" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_Default.dll", - "index": 0 - } - } - } - ] - }, - { - "ruleId": "BA2004", + "ruleId": "BA2002", "ruleIndex": 11, - "level": "error", + "kind": "pass", + "level": "none", "message": { - "id": "Error_NativeWithInsecureDirectCompilands", + "id": "Pass", "arguments": [ - "MixedMode_x64_VS2013_Default.dll", - "app.res,cvtres,12.0.21005.1\r\n.NETFramework,Version=v4.5.AssemblyAttributes.obj,cxx,18.0.21005.1\r\nStdafx.obj,cxx,18.0.21005.1\r\nMixedMode_x64_VS2013_Default.obj,cxx,18.0.21005.1\r\nAssemblyInfo.obj,cxx,18.0.21005.1\r\n" + "MixedMode_x64_VS2013_Default.dll" ] }, "locations": [ @@ -605,6 +586,34 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -889,34 +898,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index 9fd730008..3d2ffa38c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -5,10 +5,34 @@ { "results": [ { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 0, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x64_VS2015_Default.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -30,7 +54,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 1, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +78,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -287,7 +311,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -310,7 +334,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -332,7 +356,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -354,7 +378,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -376,7 +400,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -398,7 +422,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -420,7 +444,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -442,7 +466,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -464,7 +488,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -508,7 +532,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -556,8 +580,38 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -581,9 +635,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -609,9 +660,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -640,9 +688,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -671,9 +716,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -699,9 +741,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -724,9 +763,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -749,9 +785,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -780,9 +813,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -805,9 +835,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -833,9 +860,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" @@ -864,9 +888,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -895,9 +916,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -929,9 +947,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -963,9 +978,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -991,9 +1003,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -1022,9 +1031,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -1059,9 +1065,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -1093,9 +1096,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -1121,9 +1121,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -1155,9 +1152,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -1183,9 +1177,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1214,9 +1205,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1248,9 +1236,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" }, { @@ -1282,14 +1267,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index 492364960..c4fb3a23d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x86_VS2013_Default.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -196,7 +220,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -218,7 +242,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -241,7 +265,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +354,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +398,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -396,7 +420,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error_NeitherHighEntropyVANorLargeAddressAware", @@ -417,7 +441,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -439,7 +463,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -461,7 +485,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -483,7 +507,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -505,7 +529,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -529,7 +553,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -553,6 +577,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -575,14 +601,39 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -606,9 +657,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -637,9 +685,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -665,9 +710,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -690,9 +732,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -715,9 +754,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -746,9 +782,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -771,9 +804,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" @@ -802,9 +832,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -833,9 +860,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -867,9 +891,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -901,9 +922,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -929,9 +947,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -960,9 +975,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -997,9 +1009,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -1031,9 +1040,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -1059,9 +1065,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -1093,9 +1096,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -1121,9 +1121,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1152,9 +1149,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1180,9 +1174,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1211,9 +1202,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1245,9 +1233,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" }, { @@ -1279,14 +1264,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index 3aa4a59e2..821c873fb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x86_VS2015_Default.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -196,7 +220,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -218,7 +242,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -241,7 +265,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +354,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +398,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -396,7 +420,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error_NeitherHighEntropyVANorLargeAddressAware", @@ -417,7 +441,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -439,7 +463,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -461,7 +485,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -483,7 +507,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -505,7 +529,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -529,7 +553,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -553,6 +577,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -575,14 +601,39 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -606,9 +657,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -637,9 +685,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -665,9 +710,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -690,9 +732,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -715,9 +754,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -746,9 +782,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -771,9 +804,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" @@ -802,9 +832,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -833,9 +860,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -867,9 +891,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -901,9 +922,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -929,9 +947,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -960,9 +975,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -997,9 +1009,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -1031,9 +1040,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -1059,9 +1065,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -1093,9 +1096,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -1121,9 +1121,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1152,9 +1149,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1180,9 +1174,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1211,9 +1202,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1245,9 +1233,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" }, { @@ -1279,14 +1264,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" } - ], - "properties": { - } + ] } }, "invocations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index 888a20afc..ac217fcb8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM_VS2017_VB.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -436,29 +460,6 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 18, - "kind": "pass", - "level": "none", - "message": { - "id": "Pass", - "arguments": [ - "Uwp_ARM_VS2017_VB.dll", - "native" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2005", "ruleIndex": 19, @@ -651,6 +652,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1093,34 +1122,6 @@ }, "name": "UseCheckedFunctionsWithGcc" }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index c93bdcd99..29a6929a9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -62,7 +62,7 @@ "arguments": [ "Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ @@ -596,6 +596,8 @@ "tool": { "driver": { "name": "testhost", + "organization": "Microsoft Corporation", + "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ { @@ -618,9 +620,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security." - }, "name": "LoadImageAboveFourGigabyteAddress", "properties": { "equivalentBinScopeRuleReadableName": "FourGbCheck" @@ -646,9 +645,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should not take dependencies on code with known security vulnerabilities." - }, "name": "DoNotIncorporateVulnerableDependencies", "properties": { "equivalentBinScopeRuleReadableName": "ATLVersionCheck" @@ -657,29 +653,29 @@ { "id": "BA2004", "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler." + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." }, "messageStrings": { "Pass": { "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, - "Warning_Native": { - "text": "'{0}' is a native binary that links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA-256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Warning_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs and associated source code." - }, "name": "EnableSecureSourceCodeHashing" }, { @@ -705,9 +701,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features." - }, "name": "BuildWithSecureTools", "properties": { "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" @@ -739,9 +732,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks." - }, "name": "EnableCriticalCompilerWarnings", "properties": { "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" @@ -770,9 +760,6 @@ "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." } }, - "shortDescription": { - "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations." - }, "name": "EnableControlFlowGuard", "properties": { "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" @@ -798,9 +785,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkImportsSectionAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" @@ -829,9 +813,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "EnableStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSCheck" @@ -866,9 +847,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not interfere with the stack protector." - }, "name": "DoNotModifyStackProtectionCookie", "properties": { "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" @@ -900,9 +878,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities." - }, "name": "InitializeStackProtection", "properties": { "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" @@ -928,9 +903,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should not disable stack protection for individual functions." - }, "name": "DoNotDisableStackProtectionForFunctions", "properties": { "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" @@ -962,9 +934,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible." - }, "name": "EnableHighEntropyVirtualAddresses", "properties": { "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" @@ -999,9 +968,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." - }, "name": "EnableSpectreMitigations" }, { @@ -1027,9 +993,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap)." - }, "name": "EnablePositionIndependentExecutable" }, { @@ -1055,9 +1018,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode." - }, "name": "DoNotMarkStackAsExecutable" }, { @@ -1080,9 +1040,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected." - }, "name": "EnableStackProtector" }, { @@ -1105,9 +1062,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory." - }, "name": "EnableReadOnlyRelocations" }, { @@ -1136,9 +1090,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string." - }, "name": "UseCheckedFunctionsWithGcc" }, { @@ -1164,9 +1115,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." - }, "name": "DoNotShipVulnerableBinaries", "properties": { "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" @@ -1198,9 +1146,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR)." - }, "name": "EnableAddressSpaceLayoutRandomization", "properties": { "equivalentBinScopeRuleReadableName": "DBCheck" @@ -1226,9 +1171,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code." - }, "name": "MarkImageAsNXCompatible", "properties": { "equivalentBinScopeRuleReadableName": "NXCheck" @@ -1257,9 +1199,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues." - }, "name": "EnableSafeSEH", "properties": { "equivalentBinScopeRuleReadableName": "SafeSEHCheck" @@ -1285,9 +1224,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Code or data sections should not be marked as both shared and writable." - }, "name": "DoNotMarkWritableSectionsAsShared", "properties": { "equivalentBinScopeRuleReadableName": "SharedSectionCheck" @@ -1316,9 +1252,6 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "PE sections should not be marked as both writable and executable." - }, "name": "DoNotMarkWritableSectionsAsExecutable", "properties": { "equivalentBinScopeRuleReadableName": "WXCheck" @@ -1350,14 +1283,9 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "shortDescription": { - "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms." - }, "name": "SignSecurely" } - ], - "properties": { - } + ] } }, "invocations": [ From a11b9189c1b5db66e484d71b2b3fb23f1bc99763 Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Mon, 18 Jan 2021 18:35:54 -0300 Subject: [PATCH 3/9] updating logic to pdblocation --- .../PEBinary/ProgramDatabase/Pdb.cs | 30 +++- .../Expected/Binskim.linux-x64.dll.sarif | 121 ++++++---------- .../Expected/Binskim.win-x64.dll.sarif | 121 ++++++---------- .../Expected/Binskim.win-x86.dll.sarif | 121 ++++++---------- ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 131 +++++++++-------- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...otNetCore_win-x64_VS2019_Default.dll.sarif | 137 +++++++++--------- ...otNetCore_win-x86_VS2019_Default.dll.sarif | 131 +++++++++-------- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 121 ++++++---------- .../Expected/ManagedResourcesOnly.dll.sarif | 121 ++++++---------- 12 files changed, 656 insertions(+), 789 deletions(-) diff --git a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs index 7859ad05f..9825b4453 100644 --- a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs +++ b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs @@ -22,6 +22,7 @@ public sealed class Pdb : IDisposable, IDiaLoadCallback2 { private IDiaSession session; private StringBuilder loadTrace; + private readonly string peOrPdbPath; private readonly Lazy globalScope; private bool restrictReferenceAndOriginalPathAccess; private PdbFileType pdbFileType; @@ -42,6 +43,7 @@ public Pdb( string localSymbolDirectories = null, bool traceLoads = false) { + this.peOrPdbPath = pePath; this.loadTrace = traceLoads ? new StringBuilder() : null; this.globalScope = new Lazy(this.GetGlobalScope, LazyThreadSafetyMode.ExecutionAndPublication); this.writableSegmentIds = new Lazy>(this.GenerateWritableSegmentSet); @@ -150,11 +152,6 @@ public PdbFileType FileType return this.pdbFileType; } - if (Directory.Exists(PdbLocation)) - { - return PdbFileType.Unknown; - } - int max = Math.Max(WindowsPdbSignature.Length, PortablePdbSignature.Length); byte[] b = new byte[max]; @@ -396,7 +393,28 @@ public bool ContainsExecutableSectionContribs() /// /// Returns the location of the PDB for this module /// - public string PdbLocation => this.session.globalScope.symbolsFileName; + public string PdbLocation + { + get + { + string path = this.session.globalScope.symbolsFileName; + if (File.Exists(path)) + { + return path; + } + + if (Directory.Exists(path)) + { + string extension = Path.GetExtension(this.peOrPdbPath); + if (File.Exists(this.peOrPdbPath.Replace(extension, ".pdb"))) + { + return this.peOrPdbPath.Replace(extension, ".pdb"); + } + } + + return path; + } + } public void Dispose() { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index c63dd8738..c58554b0b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.linux-x64.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -654,34 +630,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1294,7 +1242,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.linux-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index b520ca9f7..e7b0f7b2d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x64.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -654,34 +630,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1294,7 +1242,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 1db877190..8599c940f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x86.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -650,34 +626,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1290,7 +1238,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x86.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index 8cbcff850..c6cd2c125 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index e978ff182..24d64d584 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_RTR_win-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_RTR_win-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index d17c2fa58..e57ba75df 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2015", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,8 +253,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotDisableStackProtectionForFunctions", - "image is a managed IL-only assembly" + "EnableHighEntropyVirtualAddresses", + "image will likely load as a 32-bit process" ] }, "locations": [ @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image will likely load as a 32-bit process" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,8 +301,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,7 +389,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 16, "kind": "notApplicable", "level": "none", @@ -397,7 +397,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -413,16 +413,15 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 17, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "native" ] }, "locations": [ @@ -650,34 +649,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1063,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 721792338..5bba7bf8a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_linux-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_linux-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index 5683ad619..f2239d837 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "DotNetCore_win-x64_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -484,6 +460,29 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 19, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "DotNetCore_win-x64_VS2019_Default.dll", + "native" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 20, @@ -654,34 +653,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1149,6 +1120,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index b83dde9e1..778ffaa98 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,7 +61,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableSecureSourceCodeHashing", + "BuildWithSecureTools", "image is a managed IL-only assembly" ] }, @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2015", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,8 +253,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotDisableStackProtectionForFunctions", - "image is a managed IL-only assembly" + "EnableHighEntropyVirtualAddresses", + "image will likely load as a 32-bit process" ] }, "locations": [ @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2024", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image will likely load as a 32-bit process" + "EnableSpectreMitigations", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,8 +301,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -389,7 +389,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 16, "kind": "notApplicable", "level": "none", @@ -397,7 +397,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -413,16 +413,15 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 17, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "native" ] }, "locations": [ @@ -650,34 +649,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1063,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Warning_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index cc040f967..58b6243cd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedInteropAssemblyForAtlTestLibrary.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -650,34 +626,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1290,7 +1238,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll" + } + } + } + ], + "message": { + "text": "'ManagedInteropAssemblyForAtlTestLibrary.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index 1bbec448d..32d50b831 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedResourcesOnly.dll", - "EnableSecureSourceCodeHashing", - "image is a managed IL-only assembly" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -653,34 +629,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Warning_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1293,7 +1241,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll" + } + } + } + ], + "message": { + "text": "'ManagedResourcesOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ From d00f1a7c56f3e2a58829276a403cc87bd5208d5b Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Mon, 18 Jan 2021 18:36:27 -0300 Subject: [PATCH 4/9] removing old comment --- src/BinaryParsers/PEBinary/PEBinary.cs | 5 ----- 1 file changed, 5 deletions(-) diff --git a/src/BinaryParsers/PEBinary/PEBinary.cs b/src/BinaryParsers/PEBinary/PEBinary.cs index e34e36845..5303b76ab 100644 --- a/src/BinaryParsers/PEBinary/PEBinary.cs +++ b/src/BinaryParsers/PEBinary/PEBinary.cs @@ -40,11 +40,6 @@ public PEBinary( private Pdb LoadPdb() { - // We should never be required to load a PDB for a managed assembly that does - // not incorporate native code, as no managed-relevant rule currently crawls - // PDBs for its analysis. - // Debug.Assert(!this.PE.IsManaged || this.PE.IsMixedMode); - Pdb pdb = null; try { From 6dda74e9a5e84a66d2492bfb6cd6cd178308876d Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Wed, 20 Jan 2021 10:50:31 -0300 Subject: [PATCH 5/9] updating pdb loader for checksum and tests --- .../BA2004.EnableSecureSourceCodeHashing.cs | 67 ++++++++++++------- src/BinSkim.Rules/RuleResources.Designer.cs | 18 ++--- src/BinSkim.Rules/RuleResources.resx | 2 +- .../PEBinary/PortableExecutable/PE.cs | 27 +++++++- .../Expected/BinSkim.win-x64.ni.dll.sarif | 2 +- .../Expected/BinSkim.win-x86.ni.dll.sarif | 2 +- .../Expected/Binskim.win-x64.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x86.RTR.dll.sarif | 2 +- ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 4 +- ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 4 +- ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 4 +- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 4 +- ...otNetCore_win-x64_VS2019_Default.dll.sarif | 4 +- ...otNetCore_win-x64_VS2019_Default.exe.sarif | 2 +- ...otNetCore_win-x86_VS2019_Default.dll.sarif | 4 +- ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 2 +- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 2 +- .../Managed_x64_VS2015_FSharp.exe.sarif | 2 +- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 2 +- .../Managed_x86_VS2015_FSharp.dll.sarif | 2 +- .../MixedMode_x64_VS2013_Default.dll.sarif | 2 +- .../MixedMode_x64_VS2015_Default.exe.sarif | 2 +- .../MixedMode_x86_VS2013_Default.exe.sarif | 2 +- .../MixedMode_x86_VS2015_Default.exe.sarif | 2 +- .../Native_x64_VS2013_Default.dll.sarif | 2 +- .../Native_x64_VS2015_Default.dll.sarif | 2 +- .../Native_x86_VS2013_Default.exe.sarif | 2 +- .../Native_x86_VS2013_ResourceOnly.dll.sarif | 2 +- ...Native_x86_VS2015_AtlProxyStubPS.dll.sarif | 2 +- .../Native_x86_VS2015_Default.exe.sarif | 2 +- .../Native_x86_VS2015_Default_Debug.dll.sarif | 2 +- .../Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif | 2 +- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 2 +- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 2 +- .../Expected/Uwp_x64_VS2017_Cpp.dll.sarif | 2 +- .../Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif | 2 +- .../Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif | 2 +- .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 2 +- .../Expected/clang.default_compilation.sarif | 2 +- .../Expected/clang.execstack.sarif | 2 +- .../Expected/clang.execstack.so.sarif | 2 +- .../Expected/clang.immediate_binding.sarif | 2 +- .../Expected/clang.no_immediate_binding.sarif | 2 +- .../Expected/clang.no_stack_protector.sarif | 2 +- .../Expected/clang.noexecstack.sarif | 2 +- .../Expected/clang.noexecstack.so.sarif | 2 +- .../Expected/clang.non_pie_executable.sarif | 2 +- .../Expected/clang.object_file.o.sarif | 2 +- .../Expected/clang.pie_executable.sarif | 2 +- .../Expected/clang.relocationsro.sarif | 2 +- .../Expected/clang.relocationsrw.sarif | 2 +- .../Expected/clang.shared_library.so.sarif | 2 +- .../Expected/clang.stack_protector.sarif | 2 +- .../Expected/clang.stack_protector.so.sarif | 2 +- .../Expected/gcc.default_compilation.sarif | 2 +- .../Expected/gcc.execstack.sarif | 2 +- .../Expected/gcc.execstack.so.sarif | 2 +- .../Expected/gcc.fortified.sarif | 2 +- .../Expected/gcc.immediate_binding.sarif | 2 +- .../gcc.no_fortification_required.sarif | 2 +- .../Expected/gcc.no_immediate_binding.sarif | 2 +- .../Expected/gcc.no_stack_protector.sarif | 2 +- .../Expected/gcc.noexecstack.sarif | 2 +- .../Expected/gcc.noexecstack.so.sarif | 2 +- .../Expected/gcc.non_pie_executable.sarif | 2 +- .../Expected/gcc.object_file.o.sarif | 2 +- .../Expected/gcc.pie_executable.sarif | 2 +- .../Expected/gcc.relocationsro.sarif | 2 +- .../Expected/gcc.relocationsrw.sarif | 2 +- .../Expected/gcc.shared_library.so.sarif | 2 +- .../Expected/gcc.stack_protector.sarif | 2 +- .../Expected/gcc.stack_protector.so.sarif | 2 +- .../Expected/gcc.unfortified.sarif | 2 +- 73 files changed, 153 insertions(+), 111 deletions(-) diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index dfc73d71c..a825d64e0 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -28,7 +28,7 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp protected override IEnumerable MessageResourceNames => new string[] { nameof(RuleResources.BA2004_Pass), nameof(RuleResources.BA2004_Warning_NativeWithInsecureStaticLibraryCompilands), - nameof(RuleResources.BA2004_Warning_Managed), + nameof(RuleResources.BA2004_Error_Managed), nameof(RuleResources.BA2004_Error_NativeWithInsecureDirectCompilands), nameof(RuleResources.NotApplicable_InvalidMetadata) }; @@ -36,33 +36,55 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { Pdb di = target.Pdb; + if (target.PE.IsManaged && (di?.FileType == PdbFileType.Windows)) { reasonForNotAnalyzing = MetadataConditions.CouldNotLoadPdb; return AnalysisApplicability.NotApplicableToSpecifiedTarget; } - //reasonForNotAnalyzing = MetadataConditions.ImageIsILOnlyAssembly; - //if (portableExecutable.IsILOnly) { return result; } - - // TODO: currently our test binary for this check is a dll that does not - // compile against any external library. BinSkim regards this as a resource - // only binary and skips the test. We should improve the IsResourceOnly - // helper to properly identify this dependency-free test binary as code. - - // reasonForNotAnalyzing = MetadataConditions.ImageIsResourceOnlyBinary; - // if (portableExecutable.IsResourceOnly) { return result; } - reasonForNotAnalyzing = null; return AnalysisApplicability.ApplicableToSpecifiedTarget; } public override void AnalyzePortableExecutableAndPdb(BinaryAnalyzerContext context) { - AnalyzeBinaryAndPdb(context); + if (context.PEBinary().PE.IsManaged) + { + AnalyzeManagedAssemblyAndPdb(context); + return; + } + + AnalyzeNativeBinaryAndPdb(context); + } + + private void AnalyzeManagedAssemblyAndPdb(BinaryAnalyzerContext context) + { + PEBinary target = context.PEBinary(); + + if (!target.PE.IsChecksumAlgorithmSecure()) + { + // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. + // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. + // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project + // property with 'SHA256' to enable secure source code hashing. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Fail, context, null, + nameof(RuleResources.BA2004_Error_Managed), + context.TargetUri.GetFileName())); + return; + } + + // '{0}' is a {1} binary which was compiled with a secure (SHA-256) + // source code hashing algorithm. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Pass, context, null, + nameof(RuleResources.BA2004_Pass), + context.TargetUri.GetFileName(), + "managed")); } - public void AnalyzeBinaryAndPdb(BinaryAnalyzerContext context) + public void AnalyzeNativeBinaryAndPdb(BinaryAnalyzerContext context) { PEBinary target = context.PEBinary(); Pdb di = target.Pdb; @@ -75,18 +97,15 @@ public void AnalyzeBinaryAndPdb(BinaryAnalyzerContext context) Symbol om = omView.Value; ObjectModuleDetails omDetails = om.GetObjectModuleDetails(); - if (!target.PE.IsManaged) + if (omDetails.Language != Language.C && + omDetails.Language != Language.Cxx) { - if (omDetails.Language != Language.C && - omDetails.Language != Language.Cxx) - { - continue; - } + continue; + } - if (!omDetails.HasDebugInfo) - { - continue; - } + if (!omDetails.HasDebugInfo) + { + continue; } CompilandRecord record = om.CreateCompilandRecord(); diff --git a/src/BinSkim.Rules/RuleResources.Designer.cs b/src/BinSkim.Rules/RuleResources.Designer.cs index f0d3797c9..745d7b33e 100644 --- a/src/BinSkim.Rules/RuleResources.Designer.cs +++ b/src/BinSkim.Rules/RuleResources.Designer.cs @@ -123,6 +123,15 @@ internal static string BA2004_EnableSecureSourceCodeHashing_Description { } } + /// + /// Looks up a localized string similar to '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing.. + /// + internal static string BA2004_Error_Managed { + get { + return ResourceManager.GetString("BA2004_Error_Managed", resourceCulture); + } + } + /// /// Looks up a localized string similar to '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. @@ -142,15 +151,6 @@ internal static string BA2004_Pass { } } - /// - /// Looks up a localized string similar to '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing.. - /// - internal static string BA2004_Warning_Managed { - get { - return ResourceManager.GetString("BA2004_Warning_Managed", resourceCulture); - } - } - /// /// Looks up a localized string similar to '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. diff --git a/src/BinSkim.Rules/RuleResources.resx b/src/BinSkim.Rules/RuleResources.resx index d43730f22..2c8a42a9e 100644 --- a/src/BinSkim.Rules/RuleResources.resx +++ b/src/BinSkim.Rules/RuleResources.resx @@ -464,7 +464,7 @@ Modules triggering this check were: The PDB for '{0}' was found and loaded. Probing details: {1} - + '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing. diff --git a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs index cc697d96d..22de7c6ea 100644 --- a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs +++ b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs @@ -366,7 +366,6 @@ public long Length } } - /// /// Windows OS file version information /// @@ -382,7 +381,6 @@ public FileVersionInfo FileVersion } } - public Packer Packer { get @@ -790,5 +788,30 @@ public bool IsWixBinary return this.isWixBinary.Value; } } + + public bool IsChecksumAlgorithmSecure() + { + const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; + var sha256guid = new Guid(sha256); + + if (this.peReader.TryOpenAssociatedPortablePdb( + this.FileName, + filePath => File.Exists(filePath) ? File.OpenRead(filePath) : null, + out MetadataReaderProvider pdbProvider, + out _)) + { + MetadataReader metadataReader = pdbProvider.GetMetadataReader(); + foreach (DocumentHandle document in metadataReader.Documents) + { + Document doc = metadataReader.GetDocument(document); + + Guid hashGuid = metadataReader.GetGuid(doc.HashAlgorithm); + + return hashGuid == sha256guid; + } + } + + return false; + } } } diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 59acfb154..60748828d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -639,7 +639,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index 94d0f35cb..00096bf51 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -662,7 +662,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index c7216bb78..89a865ad3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -639,7 +639,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index ececb894c..43e6ae227 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -662,7 +662,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index c6cd2c125..123574a2f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -469,7 +469,7 @@ "id": "Pass", "arguments": [ "DotNetCore_RTR_linux-x64_VS2019_Default.dll", - "native" + "managed" ] }, "locations": [ @@ -1136,7 +1136,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index 24d64d584..364f05ffa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -469,7 +469,7 @@ "id": "Pass", "arguments": [ "DotNetCore_RTR_win-x64_VS2019_Default.dll", - "native" + "managed" ] }, "locations": [ @@ -1136,7 +1136,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index e57ba75df..3dfbe7ad6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -421,7 +421,7 @@ "id": "Pass", "arguments": [ "DotNetCore_RTR_win-x86_VS2019_Default.dll", - "native" + "managed" ] }, "locations": [ @@ -1079,7 +1079,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 5bba7bf8a..72a87c1ac 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -469,7 +469,7 @@ "id": "Pass", "arguments": [ "DotNetCore_linux-x64_VS2019_Default.dll", - "native" + "managed" ] }, "locations": [ @@ -1136,7 +1136,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index f2239d837..c7a515716 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -469,7 +469,7 @@ "id": "Pass", "arguments": [ "DotNetCore_win-x64_VS2019_Default.dll", - "native" + "managed" ] }, "locations": [ @@ -1136,7 +1136,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index f62f7ff5f..90ed2c3ea 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -635,7 +635,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index 778ffaa98..3775a8cdd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -421,7 +421,7 @@ "id": "Pass", "arguments": [ "DotNetCore_win-x86_VS2019_Default.dll", - "native" + "managed" ] }, "locations": [ @@ -1079,7 +1079,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index 85b2c8d4c..ad37f7b45 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -663,7 +663,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index 86fd1eadd..145e291e4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index b5d25bb1c..14402fe4c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index d4393f433..f69eb971a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index f10f237b1..8c08ea7ae 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index 0a740365b..d7403b556 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -602,7 +602,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index 3d2ffa38c..ea7dce8d9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -600,7 +600,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index c4fb3a23d..5e59c3221 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -622,7 +622,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index 821c873fb..bfcefb7e3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -622,7 +622,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif index c3e0ca30c..6dd3b5335 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif @@ -905,7 +905,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif index 05c393893..f063f7d9b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif @@ -874,7 +874,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif index 3e0e1f9bf..5dcd44991 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif @@ -850,7 +850,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif index a3cec5bcc..371b779bf 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif @@ -1109,7 +1109,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif index ee6d53c43..0aed6b0dd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif @@ -820,7 +820,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif index db4fe0e81..f34efc0a4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif @@ -819,7 +819,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif index 8ad7f8c9f..7f214dc4d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif @@ -819,7 +819,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif index 0c43a92af..941e9f715 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif @@ -907,7 +907,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index ac217fcb8..d331414a8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index 29a6929a9..0ec99b5cb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif index 45099b0eb..12a1e2f0c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif @@ -852,7 +852,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif index 338193112..a6d9a7f1a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif @@ -874,7 +874,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif index ba4f2fde8..b94dd2d06 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif @@ -852,7 +852,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index 3a92429e3..33050b7e2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -662,7 +662,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif index 11c799565..a580b33b9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif index a3ef97edc..3382dc785 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif index 52cf80455..425845a2e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif index 1c1d8a036..a0fadbe0f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif index 394b2991b..5b602bf20 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif index bbfeb49ee..a236a0a31 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif index e716bcead..fa093a63e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif index 138c1311c..4d8b4222d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif index 848a77d04..9ee9b6394 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif index 90da0b741..8872199ba 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif @@ -678,7 +678,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif index afd9285ad..b7785fb33 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif index 9b5f9ebef..e7ce2077b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif @@ -668,7 +668,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif index e9a102115..f7379eec8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif index 31c099bae..d98e92285 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif index b88c0313e..79e6402a2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif @@ -669,7 +669,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif index 46b876b09..7b320d48f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif @@ -670,7 +670,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif index 9d72a33fc..8488db808 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif index 582f6f7df..8df883767 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif @@ -665,7 +665,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif index 3b8bbae0e..05fb48197 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif index 782b6f21b..5e8bfdb5c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif index 8ff2f04e1..830655504 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif index bafa0d52f..f22c75e2a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif index 702dbfb55..9320916ee 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif index c30b5137f..bb6613f3f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif @@ -665,7 +665,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif index 5c3569f84..fdd1efa2a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif index 38b3e16b5..2c9d57081 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif index 448a79676..d8b20305f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif index b20eac785..ba1ba52f0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif @@ -678,7 +678,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif index 5654a09e1..2dbf4e9b6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif index 7d21ab81c..6da9e537e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif index 4d62be53c..e2bd7383d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif @@ -665,7 +665,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif index a2028fdf6..7ebd61fa3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif index 7ee0fe13a..670fe21a6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif index 7cad2e375..99a9595bc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif @@ -667,7 +667,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif index 76d3b1840..356a7b47c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif @@ -666,7 +666,7 @@ "Warning_NativeWithInsecureStaticLibraryCompilands": { "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, - "Warning_Managed": { + "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { From 703b0009b9ec0025391794837fb69029d6496a7f Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Wed, 20 Jan 2021 11:02:41 -0300 Subject: [PATCH 6/9] updating logic to check if we can process and tests --- .../BA2004.EnableSecureSourceCodeHashing.cs | 2 +- .../Expected/BinSkim.win-x64.ni.dll.sarif | 2 +- .../Expected/BinSkim.win-x86.ni.dll.sarif | 2 +- .../Expected/Binskim.linux-x64.dll.sarif | 121 +++++++++++------- .../Expected/Binskim.win-x64.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x64.dll.sarif | 121 +++++++++++------- .../Expected/Binskim.win-x86.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x86.dll.sarif | 121 +++++++++++------- ...otNetCore_win-x64_VS2019_Default.exe.sarif | 2 +- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 121 +++++++++++------- .../Expected/ManagedResourcesOnly.dll.sarif | 121 +++++++++++------- .../MixedMode_x64_VS2013_NoPdb.exe.sarif | 107 ++++++++++------ .../MixedMode_x86_VS2013_MissingPdb.dll.sarif | 105 +++++++++------ ...ve_ARM_VS2015_CvtresResourceOnly.dll.sarif | 121 +++++++++++------- ...ve_x64_VS2015_CvtresResourceOnly.dll.sarif | 121 +++++++++++------- ...ve_x64_VS2019_Atl_NoPdbGenerated.dll.sarif | 107 ++++++++++------ .../Native_x86_VS2013_PdbMissing.exe.sarif | 105 +++++++++------ ...ve_x86_VS2015_CvtresResourceOnly.dll.sarif | 121 +++++++++++------- ...ve_x86_VS2017_15.5.4_PdbStripped.dll.sarif | 105 +++++++++------ .../Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif | 111 ++++++++++------ .../Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif | 105 +++++++++------ .../Uwp_x64_VS2015_DefaultBlankApp.dll.sarif | 113 ++++++++++------ .../Uwp_x64_VS2015_DefaultBlankApp.exe.sarif | 107 ++++++++++------ .../Uwp_x86_VS2015_DefaultBlankApp.dll.sarif | 111 ++++++++++------ .../Uwp_x86_VS2015_DefaultBlankApp.exe.sarif | 105 +++++++++------ .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 2 +- 26 files changed, 1368 insertions(+), 795 deletions(-) diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index a825d64e0..969144459 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -37,7 +37,7 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper { Pdb di = target.Pdb; - if (target.PE.IsManaged && (di?.FileType == PdbFileType.Windows)) + if (target.PE.IsManaged && (di?.FileType == PdbFileType.Windows) || di == null) { reasonForNotAnalyzing = MetadataConditions.CouldNotLoadPdb; return AnalysisApplicability.NotApplicableToSpecifiedTarget; diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 60748828d..2c3096bb7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -38,7 +38,7 @@ "arguments": [ "BinSkim.win-x64.ni.dll", "EnableSecureSourceCodeHashing", - "image is a managed IL library (i.e., ahead of time compiled) assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index 00096bf51..71424c657 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -62,7 +62,7 @@ "arguments": [ "BinSkim.win-x86.ni.dll", "EnableSecureSourceCodeHashing", - "image is a managed IL library (i.e., ahead of time compiled) assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index c58554b0b..a2d8f2d1b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.linux-x64.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -484,7 +508,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -506,7 +530,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -528,7 +552,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -550,7 +574,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -630,6 +654,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1242,30 +1294,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll" - } - } - } - ], - "message": { - "text": "'Binskim.linux-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index 89a865ad3..f453aa1c9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -38,7 +38,7 @@ "arguments": [ "Binskim.win-x64.RTR.dll", "EnableSecureSourceCodeHashing", - "image is a managed IL library (i.e., ahead of time compiled) assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index e7b0f7b2d..2e7536457 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.win-x64.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -484,7 +508,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -506,7 +530,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -528,7 +552,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -550,7 +574,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -630,6 +654,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1242,30 +1294,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll" - } - } - } - ], - "message": { - "text": "'Binskim.win-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index 43e6ae227..b01e1a094 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -62,7 +62,7 @@ "arguments": [ "Binskim.win-x86.RTR.dll", "EnableSecureSourceCodeHashing", - "image is a managed IL library (i.e., ahead of time compiled) assembly" + "an exception occurred attempting to load its pdb" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 8599c940f..070fe7bf3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.win-x86.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -436,7 +460,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -458,7 +482,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -480,7 +504,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -502,7 +526,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -524,7 +548,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -546,7 +570,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -626,6 +650,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1238,30 +1290,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll" - } - } - } - ], - "message": { - "text": "'Binskim.win-x86.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index 90ed2c3ea..a2d374b96 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -38,7 +38,7 @@ "arguments": [ "DotNetCore_win-x64_VS2019_Default.exe", "EnableSecureSourceCodeHashing", - "image is a .NET core native bootstrap exe" + "an exception occurred attempting to load its pdb" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index 58b6243cd..a8fff69ca 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "ManagedInteropAssemblyForAtlTestLibrary.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -436,7 +460,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -458,7 +482,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -480,7 +504,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -502,7 +526,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -524,7 +548,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -546,7 +570,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -626,6 +650,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1238,30 +1290,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll" - } - } - } - ], - "message": { - "text": "'ManagedInteropAssemblyForAtlTestLibrary.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index 32d50b831..dce8b1e01 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "ManagedResourcesOnly.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -484,7 +508,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -506,7 +530,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -528,7 +552,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -550,7 +574,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -629,6 +653,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1241,30 +1293,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll" - } - } - } - ], - "message": { - "text": "'ManagedResourcesOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif index e7455252b..8801f2be0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif @@ -5,10 +5,34 @@ { "results": [ { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 0, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x64_VS2013_NoPdb.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_NoPdb.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -30,7 +54,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 1, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +78,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +354,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +398,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -404,6 +428,34 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -889,27 +941,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_NoPdb.exe" - } - } - } - ], - "message": { - "text": "'MixedMode_x64_VS2013_NoPdb.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif index 2f0da5532..a407bc46d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x86_VS2013_MissingPdb.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_MissingPdb.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +354,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +398,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -429,6 +453,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -889,27 +941,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_MissingPdb.dll" - } - } - } - ], - "message": { - "text": "'MixedMode_x86_VS2013_MissingPdb.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif index 9bbbbf7fc..6cfc3f3c0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_ARM_VS2015_CvtresResourceOnly.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_ARM_VS2015_CvtresResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -460,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -482,7 +506,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -504,7 +528,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -526,7 +550,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -548,7 +572,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -628,6 +652,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1240,30 +1292,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_ARM_VS2015_CvtresResourceOnly.dll" - } - } - } - ], - "message": { - "text": "'Native_ARM_VS2015_CvtresResourceOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif index e07508b9e..b3e597e6f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x64_VS2015_CvtresResourceOnly.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2015_CvtresResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -460,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -482,7 +506,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -504,7 +528,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -526,7 +550,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -548,7 +572,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -628,6 +652,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1240,30 +1292,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2015_CvtresResourceOnly.dll" - } - } - } - ], - "message": { - "text": "'Native_x64_VS2015_CvtresResourceOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif index 13f37101b..c2bc5c2e7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif @@ -5,10 +5,34 @@ { "results": [ { - "ruleId": "BA2015", + "ruleId": "BA2004", "ruleIndex": 0, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x64_VS2019_Atl_NoPdbGenerated.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2019_Atl_NoPdbGenerated.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2015", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -30,7 +54,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 1, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +78,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 10, + "ruleIndex": 11, "level": "error", "message": { "id": "Error", @@ -263,7 +287,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -285,7 +309,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -307,7 +331,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -329,7 +353,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -351,7 +375,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -373,7 +397,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -403,6 +427,34 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2015", "fullDescription": { @@ -888,27 +940,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2019_Atl_NoPdbGenerated.dll" - } - } - } - ], - "message": { - "text": "'Native_x64_VS2019_Atl_NoPdbGenerated.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif index 5ffb2f989..8a8c59b1e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2013_PdbMissing.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_PdbMissing.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 14, "level": "error", "message": { "id": "Error", @@ -330,7 +354,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "level": "error", "message": { "id": "Error", @@ -374,7 +398,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -429,6 +453,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -889,27 +941,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_PdbMissing.exe" - } - } - } - ], - "message": { - "text": "'Native_x86_VS2013_PdbMissing.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif index b9e7b8fac..8525227d8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif @@ -53,10 +53,34 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2004", "ruleIndex": 2, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2015_CvtresResourceOnly.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_CvtresResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -78,7 +102,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -460,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -482,7 +506,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -504,7 +528,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -526,7 +550,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -548,7 +572,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "notApplicable", "level": "none", "message": { @@ -628,6 +652,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2006", "fullDescription": { @@ -1240,30 +1292,7 @@ }, "invocations": [ { - "toolConfigurationNotifications": [ - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_CvtresResourceOnly.dll" - } - } - } - ], - "message": { - "text": "'Native_x86_VS2015_CvtresResourceOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - } - ], - "executionSuccessful": false + "executionSuccessful": true } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif index 52f86fbef..50afbc7dd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2017_15.5.4_PdbStripped.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2017_15.5.4_PdbStripped.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2015", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -196,7 +220,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -218,7 +242,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -240,7 +264,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -262,7 +286,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -284,7 +308,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -306,7 +330,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -328,7 +352,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -350,7 +374,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -372,7 +396,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -427,6 +451,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2015", "fullDescription": { @@ -887,27 +939,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2017_15.5.4_PdbStripped.dll" - } - } - } - ], - "message": { - "text": "'Native_x86_VS2017_15.5.4_PdbStripped.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif index e6cacd530..eb1fc3c32 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM_VS2015_DefaultBlankApp.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -340,7 +364,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -362,7 +386,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -384,7 +408,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -406,7 +430,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -428,7 +452,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -450,7 +474,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -505,6 +529,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -1049,27 +1101,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.dll" - } - } - } - ], - "message": { - "text": "'Uwp_ARM_VS2015_DefaultBlankApp.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif index 238808712..eee3b55ac 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM_VS2015_DefaultBlankApp.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -244,7 +268,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -266,7 +290,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -288,7 +312,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -310,7 +334,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -332,7 +356,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -354,7 +378,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -376,7 +400,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -431,6 +455,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -891,27 +943,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.exe" - } - } - } - ], - "message": { - "text": "'Uwp_ARM_VS2015_DefaultBlankApp.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif index b87ba923a..9995d0272 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif @@ -5,10 +5,34 @@ { "results": [ { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 0, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x64_VS2015_DefaultBlankApp.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -30,7 +54,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 1, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +78,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -340,7 +364,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -362,7 +386,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -384,7 +408,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -406,7 +430,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -428,7 +452,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -450,7 +474,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -480,6 +504,34 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -1049,27 +1101,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.dll" - } - } - } - ], - "message": { - "text": "'Uwp_x64_VS2015_DefaultBlankApp.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif index a9a214774..4ea322d74 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif @@ -5,10 +5,34 @@ { "results": [ { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 0, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x64_VS2015_DefaultBlankApp.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -30,7 +54,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 1, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +78,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +354,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +398,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -404,6 +428,34 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -889,27 +941,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.exe" - } - } - } - ], - "message": { - "text": "'Uwp_x64_VS2015_DefaultBlankApp.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif index b3d1bcc0f..f91cf4755 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x86_VS2015_DefaultBlankApp.dll", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -338,7 +362,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -360,7 +384,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -382,7 +406,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -404,7 +428,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -426,7 +450,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -448,7 +472,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -503,6 +527,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -1047,27 +1099,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.dll" - } - } - } - ], - "message": { - "text": "'Uwp_x86_VS2015_DefaultBlankApp.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif index af0f95fb0..0717a2e0c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif @@ -29,10 +29,34 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2004", "ruleIndex": 1, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x86_VS2015_DefaultBlankApp.exe", + "EnableSecureSourceCodeHashing", + "an exception occurred attempting to load its pdb" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -54,7 +78,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 2, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +222,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -220,7 +244,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -242,7 +266,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -264,7 +288,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -286,7 +310,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -308,7 +332,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -330,7 +354,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -352,7 +376,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -374,7 +398,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -429,6 +453,34 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2008", "fullDescription": { @@ -889,27 +941,6 @@ "id": "BA2002" } }, - { - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.exe" - } - } - } - ], - "message": { - "text": "'Uwp_x86_VS2015_DefaultBlankApp.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." - }, - "level": "error", - "descriptor": { - "id": "ERR997.ExceptionLoadingPdb" - }, - "associatedRule": { - "id": "BA2004" - } - }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index 33050b7e2..f91f60cfd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -62,7 +62,7 @@ "arguments": [ "Wix_3.11.1_VS2017_Bootstrapper.exe", "EnableSecureSourceCodeHashing", - "image appears to be a WiX bootstrapper application" + "an exception occurred attempting to load its pdb" ] }, "locations": [ From 2bb08fce39654046dad58e1505d3f3b6965aa54f Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Wed, 20 Jan 2021 12:59:48 -0300 Subject: [PATCH 7/9] adding more tests --- .../BA2004.EnableSecureSourceCodeHashing.cs | 42 ++++-- src/BinaryParsers/BinaryParsers.csproj | 6 + .../PEBinary/PortableExecutable/PE.cs | 43 +++++- .../PortableExecutable/SymMetadataProvider.cs | 105 ++++++++++++++ ...otNetCore_win-x64_VS2019_Default.exe.sarif | 2 +- ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 126 ++++++++--------- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 130 +++++++++-------- .../Managed_x64_VS2015_FSharp.exe.sarif | 132 +++++++++--------- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 130 +++++++++-------- .../Managed_x86_VS2015_FSharp.dll.sarif | 130 +++++++++-------- .../MixedMode_x64_VS2013_Default.dll.sarif | 120 ++++++++-------- .../MixedMode_x64_VS2015_Default.exe.sarif | 114 ++++++++------- .../MixedMode_x86_VS2013_Default.exe.sarif | 100 +++++++------ .../MixedMode_x86_VS2015_Default.exe.sarif | 100 +++++++------ ...ve_ARM_VS2015_CvtresResourceOnly.dll.sarif | 121 ++++++---------- ...ve_x64_VS2015_CvtresResourceOnly.dll.sarif | 121 ++++++---------- ...ve_x64_VS2019_Atl_NoPdbGenerated.dll.sarif | 107 +++++--------- .../Native_x86_VS2013_PdbMissing.exe.sarif | 105 +++++--------- ...ve_x86_VS2015_CvtresResourceOnly.dll.sarif | 121 ++++++---------- ...ve_x86_VS2017_15.5.4_PdbStripped.dll.sarif | 105 +++++--------- .../Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif | 111 ++++++--------- .../Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif | 105 +++++--------- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 132 +++++++++--------- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 130 +++++++++-------- .../Uwp_x64_VS2015_DefaultBlankApp.dll.sarif | 113 ++++++--------- .../Uwp_x64_VS2015_DefaultBlankApp.exe.sarif | 107 +++++--------- .../Uwp_x86_VS2015_DefaultBlankApp.dll.sarif | 111 ++++++--------- .../Uwp_x86_VS2015_DefaultBlankApp.exe.sarif | 105 +++++--------- .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 2 +- .../Fail/Managed_net48_full_exe_sha1.exe | Bin 0 -> 5120 bytes .../Fail/Managed_net48_full_exe_sha1.pdb | Bin 0 -> 19968 bytes .../Fail/Managed_net48_full_sha1.dll | Bin 0 -> 4096 bytes .../Fail/Managed_net48_full_sha1.pdb | Bin 0 -> 15872 bytes .../Pass/Managed_net48_full_exe_sha256.exe | Bin 0 -> 5120 bytes .../Pass/Managed_net48_full_exe_sha256.pdb | Bin 0 -> 19968 bytes .../Pass/Managed_net48_full_sha256.dll | Bin 0 -> 4096 bytes .../Pass/Managed_net48_full_sha256.pdb | Bin 0 -> 15872 bytes 37 files changed, 1317 insertions(+), 1559 deletions(-) create mode 100644 src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.exe create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.pdb create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.dll create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.pdb diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index 969144459..c664927ca 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -37,7 +37,7 @@ public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.Proper { Pdb di = target.Pdb; - if (target.PE.IsManaged && (di?.FileType == PdbFileType.Windows) || di == null) + if (target.PE.IsManaged && di == null) { reasonForNotAnalyzing = MetadataConditions.CouldNotLoadPdb; return AnalysisApplicability.NotApplicableToSpecifiedTarget; @@ -61,18 +61,38 @@ public override void AnalyzePortableExecutableAndPdb(BinaryAnalyzerContext conte private void AnalyzeManagedAssemblyAndPdb(BinaryAnalyzerContext context) { PEBinary target = context.PEBinary(); + Pdb di = target.Pdb; - if (!target.PE.IsChecksumAlgorithmSecure()) + // Checking if it is full pdb + if (di.FileType == PdbFileType.Windows) { - // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. - // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. - // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project - // property with 'SHA256' to enable secure source code hashing. - context.Logger.Log(this, - RuleUtilities.BuildResult(ResultKind.Fail, context, null, - nameof(RuleResources.BA2004_Error_Managed), - context.TargetUri.GetFileName())); - return; + if (!target.PE.IsChecksumAlgorithmSecureForFullPdb()) + { + // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. + // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. + // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project + // property with 'SHA256' to enable secure source code hashing. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Fail, context, null, + nameof(RuleResources.BA2004_Error_Managed), + context.TargetUri.GetFileName())); + return; + } + } + else + { + if (!target.PE.IsChecksumAlgorithmSecureForPortablePdb()) + { + // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. + // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. + // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project + // property with 'SHA256' to enable secure source code hashing. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Fail, context, null, + nameof(RuleResources.BA2004_Error_Managed), + context.TargetUri.GetFileName())); + return; + } } // '{0}' is a {1} binary which was compiled with a secure (SHA-256) diff --git a/src/BinaryParsers/BinaryParsers.csproj b/src/BinaryParsers/BinaryParsers.csproj index 5976d88c9..fd93ccb25 100644 --- a/src/BinaryParsers/BinaryParsers.csproj +++ b/src/BinaryParsers/BinaryParsers.csproj @@ -5,6 +5,12 @@ Microsoft.CodeAnalysis.BinaryParsers $(NetStandardVersion) + + true + + + true + diff --git a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs index 22de7c6ea..e517a3b42 100644 --- a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs +++ b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs @@ -10,6 +10,9 @@ using System.Reflection.PortableExecutable; using System.Security.Cryptography; +using Microsoft.DiaSymReader; +using Microsoft.DiaSymReader.Tools; + namespace Microsoft.CodeAnalysis.BinaryParsers.PortableExecutable { public class PE : IDisposable @@ -90,7 +93,6 @@ public void Dispose() } } - public Exception LoadException { get; set; } public Uri Uri { get; set; } @@ -263,7 +265,6 @@ public byte[] ImageBytes } } - /// /// Calculate SHA1 over the file contents /// @@ -789,7 +790,7 @@ public bool IsWixBinary } } - public bool IsChecksumAlgorithmSecure() + public bool IsChecksumAlgorithmSecureForPortablePdb() { const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; var sha256guid = new Guid(sha256); @@ -813,5 +814,41 @@ public bool IsChecksumAlgorithmSecure() return false; } + + public bool IsChecksumAlgorithmSecureForFullPdb() + { + const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; + var sha256guid = new Guid(sha256); + string fileName = Path.GetFileName(this.FileName); + string extension = Path.GetExtension(fileName); + string pdbPath = this.FileName.Replace(fileName, fileName.Replace(extension, ".pdb")); + + if (!File.Exists(pdbPath)) + { + return false; + } + + using var pdbStream = new FileStream(pdbPath, FileMode.Open, FileAccess.Read); + + var metadataProvider = new SymMetadataProvider(this.metadataReader); + object importer = SymUnmanagedReaderFactory.CreateSymReaderMetadataImport(metadataProvider); + ISymUnmanagedReader3 reader = SymUnmanagedReaderFactory.CreateReaderWithMetadataImport(pdbStream, importer, SymUnmanagedReaderCreationOptions.UseComRegistry); + + try + { + Guid algorithm = Guid.Empty; + foreach (ISymUnmanagedDocument document in reader.GetDocuments()) + { + document.GetChecksumAlgorithmId(ref algorithm); + return algorithm == sha256guid; + } + } + finally + { + _ = ((ISymUnmanagedDispose)reader).Destroy(); + } + + return false; + } } } diff --git a/src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs b/src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs new file mode 100644 index 000000000..e623024e4 --- /dev/null +++ b/src/BinaryParsers/PEBinary/PortableExecutable/SymMetadataProvider.cs @@ -0,0 +1,105 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Diagnostics.CodeAnalysis; +using System.Reflection; +using System.Reflection.Metadata; +using System.Reflection.Metadata.Ecma335; + +namespace Microsoft.DiaSymReader.Tools +{ + internal sealed class SymMetadataProvider : ISymWriterMetadataProvider, ISymReaderMetadataProvider + { + private readonly MetadataReader _reader; + + internal SymMetadataProvider(MetadataReader reader) + { + _reader = reader; + } + + public unsafe bool TryGetStandaloneSignature(int standaloneSignatureToken, out byte* signature, out int length) + { + var sigHandle = (StandaloneSignatureHandle)MetadataTokens.Handle(standaloneSignatureToken); + if (sigHandle.IsNil) + { + signature = null; + length = 0; + return false; + } + + StandaloneSignature sig = _reader.GetStandaloneSignature(sigHandle); + BlobReader blobReader = _reader.GetBlobReader(sig.Signature); + + signature = blobReader.StartPointer; + length = blobReader.Length; + return true; + } + + public bool TryGetTypeDefinitionInfo(int typeDefinitionToken, [NotNullWhen(true)] out string namespaceName, [NotNullWhen(true)] out string typeName, out TypeAttributes attributes) + { + var handle = (TypeDefinitionHandle)MetadataTokens.Handle(typeDefinitionToken); + if (handle.IsNil) + { + namespaceName = null; + typeName = null; + attributes = 0; + return false; + } + + TypeDefinition typeDefinition = _reader.GetTypeDefinition(handle); + namespaceName = _reader.GetString(typeDefinition.Namespace); + typeName = _reader.GetString(typeDefinition.Name); + attributes = typeDefinition.Attributes; + return true; + } + + public bool TryGetTypeReferenceInfo(int typeReferenceToken, [NotNullWhen(true)] out string namespaceName, [NotNullWhen(true)] out string typeName) + { + var handle = (TypeReferenceHandle)MetadataTokens.Handle(typeReferenceToken); + if (handle.IsNil) + { + namespaceName = null; + typeName = null; + return false; + } + + TypeReference typeReference = _reader.GetTypeReference(handle); + namespaceName = _reader.GetString(typeReference.Namespace); + typeName = _reader.GetString(typeReference.Name); + return true; + } + + public bool TryGetEnclosingType(int nestedTypeToken, out int enclosingTypeToken) + { + TypeDefinition nestedTypeDef = _reader.GetTypeDefinition(MetadataTokens.TypeDefinitionHandle(nestedTypeToken)); + TypeDefinitionHandle declaringTypeHandle = nestedTypeDef.GetDeclaringType(); + + if (declaringTypeHandle.IsNil) + { + enclosingTypeToken = 0; + return false; + } + else + { + enclosingTypeToken = MetadataTokens.GetToken(declaringTypeHandle); + return true; + } + } + + public bool TryGetMethodInfo(int methodDefinitionToken, [NotNullWhen(true)] out string methodName, out int declaringTypeToken) + { + var handle = (MethodDefinitionHandle)MetadataTokens.Handle(methodDefinitionToken); + if (handle.IsNil) + { + methodName = null; + declaringTypeToken = 0; + return false; + } + + MethodDefinition methodDefinition = _reader.GetMethodDefinition(handle); + methodName = _reader.GetString(methodDefinition.Name); + declaringTypeToken = MetadataTokens.GetToken(methodDefinition.GetDeclaringType()); + return true; + } + } +} diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index a2d374b96..90ed2c3ea 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -38,7 +38,7 @@ "arguments": [ "DotNetCore_win-x64_VS2019_Default.exe", "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "image is a .NET core native bootstrap exe" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index ad37f7b45..46809b189 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2006", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "BuildWithSecureTools", + "image is a managed IL-only assembly" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2006", + "ruleId": "BA2007", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "BuildWithSecureTools", + "EnableCriticalCompilerWarnings", "image is a managed IL-only assembly" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2007", + "ruleId": "BA2008", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableCriticalCompilerWarnings", + "EnableControlFlowGuard", "image is a managed IL-only assembly" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableControlFlowGuard", + "DoNotMarkImportsSectionAsExecutable", "image is a managed IL-only assembly" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA2010", + "ruleId": "BA2011", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkImportsSectionAsExecutable", + "EnableStackProtection", "image is a managed IL-only assembly" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA2011", + "ruleId": "BA2012", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtection", + "DoNotModifyStackProtectionCookie", "image is a managed IL-only assembly" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA2012", + "ruleId": "BA2013", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotModifyStackProtectionCookie", + "InitializeStackProtection", "image is a managed IL-only assembly" ] }, @@ -221,7 +221,7 @@ ] }, { - "ruleId": "BA2013", + "ruleId": "BA2014", "ruleIndex": 9, "kind": "notApplicable", "level": "none", @@ -229,7 +229,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "InitializeStackProtection", + "DoNotDisableStackProtectionForFunctions", "image is a managed IL-only assembly" ] }, @@ -245,7 +245,7 @@ ] }, { - "ruleId": "BA2014", + "ruleId": "BA2024", "ruleIndex": 10, "kind": "notApplicable", "level": "none", @@ -253,7 +253,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotDisableStackProtectionForFunctions", + "EnableSpectreMitigations", "image is a managed IL-only assembly" ] }, @@ -269,7 +269,7 @@ ] }, { - "ruleId": "BA2024", + "ruleId": "BA3001", "ruleIndex": 11, "kind": "notApplicable", "level": "none", @@ -277,8 +277,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableSpectreMitigations", - "image is a managed IL-only assembly" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -293,7 +293,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 12, "kind": "notApplicable", "level": "none", @@ -301,7 +301,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -317,7 +317,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 13, "kind": "notApplicable", "level": "none", @@ -325,7 +325,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -341,7 +341,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 14, "kind": "notApplicable", "level": "none", @@ -349,7 +349,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -365,7 +365,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 15, "kind": "notApplicable", "level": "none", @@ -373,7 +373,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -389,16 +389,12 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2004", "ruleIndex": 16, - "kind": "notApplicable", - "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Error_Managed", "arguments": [ - "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe" ] }, "locations": [ @@ -647,34 +643,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1058,6 +1026,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index 145e291e4..62145310a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_AnyCPU_VS2017_Prefer32Bit.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index 14402fe4c..7d0e4f2c8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x64_VS2015_FSharp.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x64_VS2015_FSharp.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -460,6 +436,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 18, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_x64_VS2015_FSharp.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x64_VS2015_FSharp.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 19, @@ -652,34 +648,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1116,6 +1084,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index f69eb971a..00ec8dc24 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x86_VS2013_Wpf.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2013_Wpf.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_x86_VS2013_Wpf.exe" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2013_Wpf.exe", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index 8c08ea7ae..e8b058a11 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Managed_x86_VS2015_FSharp.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Managed_x86_VS2015_FSharp.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index d7403b556..31062f18e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -5,7 +5,7 @@ { "results": [ { - "ruleId": "BA2004", + "ruleId": "BA2008", "ruleIndex": 0, "kind": "notApplicable", "level": "none", @@ -13,8 +13,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "EnableControlFlowGuard", + "image is a mixed mode binary" ] }, "locations": [ @@ -29,7 +29,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2015", "ruleIndex": 1, "kind": "notApplicable", "level": "none", @@ -37,8 +37,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableControlFlowGuard", - "image is a mixed mode binary" + "EnableHighEntropyVirtualAddresses", + "image is not an executable program" ] }, "locations": [ @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2015", + "ruleId": "BA2016", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableHighEntropyVirtualAddresses", - "image is not an executable program" + "MarkImageAsNXCompatible", + "image is a 64-bit binary" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2016", + "ruleId": "BA2018", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,8 +85,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "MarkImageAsNXCompatible", - "image is a 64-bit binary" + "EnableSafeSEH", + "image is not a 32-bit binary" ] }, "locations": [ @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA2018", + "ruleId": "BA3001", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,8 +109,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableSafeSEH", - "image is not a 32-bit binary" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -197,7 +197,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 8, "kind": "notApplicable", "level": "none", @@ -205,7 +205,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2013_Default.dll", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -221,16 +221,14 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2001", "ruleIndex": 9, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ - "MixedMode_x64_VS2013_Default.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "MixedMode_x64_VS2013_Default.dll" ] }, "locations": [ @@ -245,7 +243,7 @@ ] }, { - "ruleId": "BA2001", + "ruleId": "BA2002", "ruleIndex": 10, "kind": "pass", "level": "none", @@ -267,12 +265,10 @@ ] }, { - "ruleId": "BA2002", + "ruleId": "BA2004", "ruleIndex": 11, - "kind": "pass", - "level": "none", "message": { - "id": "Pass", + "id": "Error_Managed", "arguments": [ "MixedMode_x64_VS2013_Default.dll" ] @@ -586,34 +582,6 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -898,6 +866,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index ea7dce8d9..42c266a3f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -5,7 +5,7 @@ { "results": [ { - "ruleId": "BA2004", + "ruleId": "BA2008", "ruleIndex": 0, "kind": "notApplicable", "level": "none", @@ -13,8 +13,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "EnableControlFlowGuard", + "image is a mixed mode binary" ] }, "locations": [ @@ -29,7 +29,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA2016", "ruleIndex": 1, "kind": "notApplicable", "level": "none", @@ -37,8 +37,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "EnableControlFlowGuard", - "image is a mixed mode binary" + "MarkImageAsNXCompatible", + "image is a 64-bit binary" ] }, "locations": [ @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2016", + "ruleId": "BA2018", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "MarkImageAsNXCompatible", - "image is a 64-bit binary" + "EnableSafeSEH", + "image is not a 32-bit binary" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA2018", + "ruleId": "BA3001", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,8 +85,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "EnableSafeSEH", - "image is not a 32-bit binary" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -173,7 +173,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 7, "kind": "notApplicable", "level": "none", @@ -181,7 +181,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x64_VS2015_Default.exe", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -197,16 +197,14 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2001", "ruleIndex": 8, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ - "MixedMode_x64_VS2015_Default.exe", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "MixedMode_x64_VS2015_Default.exe" ] }, "locations": [ @@ -221,7 +219,7 @@ ] }, { - "ruleId": "BA2001", + "ruleId": "BA2002", "ruleIndex": 9, "kind": "pass", "level": "none", @@ -243,12 +241,10 @@ ] }, { - "ruleId": "BA2002", + "ruleId": "BA2004", "ruleIndex": 10, - "kind": "pass", - "level": "none", "message": { - "id": "Pass", + "id": "Error_Managed", "arguments": [ "MixedMode_x64_VS2015_Default.exe" ] @@ -584,34 +580,6 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -865,6 +833,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index 5e59c3221..df92e84a2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -29,7 +29,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2008", "ruleIndex": 1, "kind": "notApplicable", "level": "none", @@ -37,8 +37,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2013_Default.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "EnableControlFlowGuard", + "image is a mixed mode binary" ] }, "locations": [ @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA3001", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2013_Default.exe", - "EnableControlFlowGuard", - "image is a mixed mode binary" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2013_Default.exe", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2013_Default.exe", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2013_Default.exe", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2013_Default.exe", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -173,16 +173,14 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2002", "ruleIndex": 7, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ - "MixedMode_x86_VS2013_Default.exe", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "MixedMode_x86_VS2013_Default.exe" ] }, "locations": [ @@ -197,12 +195,10 @@ ] }, { - "ruleId": "BA2002", + "ruleId": "BA2004", "ruleIndex": 8, - "kind": "pass", - "level": "none", "message": { - "id": "Pass", + "id": "Error_Managed", "arguments": [ "MixedMode_x86_VS2013_Default.exe" ] @@ -606,34 +602,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -809,6 +777,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index bfcefb7e3..030986fbf 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -29,7 +29,7 @@ ] }, { - "ruleId": "BA2004", + "ruleId": "BA2008", "ruleIndex": 1, "kind": "notApplicable", "level": "none", @@ -37,8 +37,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2015_Default.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "EnableControlFlowGuard", + "image is a mixed mode binary" ] }, "locations": [ @@ -53,7 +53,7 @@ ] }, { - "ruleId": "BA2008", + "ruleId": "BA3001", "ruleIndex": 2, "kind": "notApplicable", "level": "none", @@ -61,8 +61,8 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2015_Default.exe", - "EnableControlFlowGuard", - "image is a mixed mode binary" + "EnablePositionIndependentExecutable", + "image is not an ELF binary" ] }, "locations": [ @@ -77,7 +77,7 @@ ] }, { - "ruleId": "BA3001", + "ruleId": "BA3002", "ruleIndex": 3, "kind": "notApplicable", "level": "none", @@ -85,7 +85,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2015_Default.exe", - "EnablePositionIndependentExecutable", + "DoNotMarkStackAsExecutable", "image is not an ELF binary" ] }, @@ -101,7 +101,7 @@ ] }, { - "ruleId": "BA3002", + "ruleId": "BA3003", "ruleIndex": 4, "kind": "notApplicable", "level": "none", @@ -109,7 +109,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2015_Default.exe", - "DoNotMarkStackAsExecutable", + "EnableStackProtector", "image is not an ELF binary" ] }, @@ -125,7 +125,7 @@ ] }, { - "ruleId": "BA3003", + "ruleId": "BA3010", "ruleIndex": 5, "kind": "notApplicable", "level": "none", @@ -133,7 +133,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2015_Default.exe", - "EnableStackProtector", + "EnableReadOnlyRelocations", "image is not an ELF binary" ] }, @@ -149,7 +149,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3030", "ruleIndex": 6, "kind": "notApplicable", "level": "none", @@ -157,7 +157,7 @@ "id": "NotApplicable_InvalidMetadata", "arguments": [ "MixedMode_x86_VS2015_Default.exe", - "EnableReadOnlyRelocations", + "UseCheckedFunctionsWithGcc", "image is not an ELF binary" ] }, @@ -173,16 +173,14 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA2002", "ruleIndex": 7, - "kind": "notApplicable", + "kind": "pass", "level": "none", "message": { - "id": "NotApplicable_InvalidMetadata", + "id": "Pass", "arguments": [ - "MixedMode_x86_VS2015_Default.exe", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" + "MixedMode_x86_VS2015_Default.exe" ] }, "locations": [ @@ -197,12 +195,10 @@ ] }, { - "ruleId": "BA2002", + "ruleId": "BA2004", "ruleIndex": 8, - "kind": "pass", - "level": "none", "message": { - "id": "Pass", + "id": "Error_Managed", "arguments": [ "MixedMode_x86_VS2015_Default.exe" ] @@ -606,34 +602,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -809,6 +777,34 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif index 6cfc3f3c0..9bbbbf7fc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Native_ARM_VS2015_CvtresResourceOnly.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_ARM_VS2015_CvtresResourceOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -484,7 +460,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -506,7 +482,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -528,7 +504,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -550,7 +526,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -572,7 +548,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -652,34 +628,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1292,7 +1240,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_ARM_VS2015_CvtresResourceOnly.dll" + } + } + } + ], + "message": { + "text": "'Native_ARM_VS2015_CvtresResourceOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif index b3e597e6f..e07508b9e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Native_x64_VS2015_CvtresResourceOnly.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2015_CvtresResourceOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -484,7 +460,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -506,7 +482,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -528,7 +504,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -550,7 +526,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -572,7 +548,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -652,34 +628,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1292,7 +1240,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2015_CvtresResourceOnly.dll" + } + } + } + ], + "message": { + "text": "'Native_x64_VS2015_CvtresResourceOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif index c2bc5c2e7..13f37101b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif @@ -4,33 +4,9 @@ "runs": [ { "results": [ - { - "ruleId": "BA2004", - "ruleIndex": 0, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Native_x64_VS2019_Atl_NoPdbGenerated.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2019_Atl_NoPdbGenerated.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2015", - "ruleIndex": 1, + "ruleIndex": 0, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +30,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -244,7 +220,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -266,7 +242,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 11, + "ruleIndex": 10, "level": "error", "message": { "id": "Error", @@ -287,7 +263,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -309,7 +285,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -331,7 +307,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -353,7 +329,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -375,7 +351,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -397,7 +373,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -427,34 +403,6 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2015", "fullDescription": { @@ -940,6 +888,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2019_Atl_NoPdbGenerated.dll" + } + } + } + ], + "message": { + "text": "'Native_x64_VS2019_Atl_NoPdbGenerated.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif index 8a8c59b1e..5ffb2f989 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Native_x86_VS2013_PdbMissing.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_PdbMissing.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -244,7 +220,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -266,7 +242,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -288,7 +264,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -310,7 +286,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -332,7 +308,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 14, + "ruleIndex": 13, "level": "error", "message": { "id": "Error", @@ -354,7 +330,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -376,7 +352,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "level": "error", "message": { "id": "Error", @@ -398,7 +374,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -453,34 +429,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -941,6 +889,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_PdbMissing.exe" + } + } + } + ], + "message": { + "text": "'Native_x86_VS2013_PdbMissing.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif index 8525227d8..b9e7b8fac 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Native_x86_VS2015_CvtresResourceOnly.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_CvtresResourceOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -484,7 +460,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -506,7 +482,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -528,7 +504,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -550,7 +526,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -572,7 +548,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -652,34 +628,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1292,7 +1240,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_CvtresResourceOnly.dll" + } + } + } + ], + "message": { + "text": "'Native_x86_VS2015_CvtresResourceOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif index 50afbc7dd..52f86fbef 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Native_x86_VS2017_15.5.4_PdbStripped.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2017_15.5.4_PdbStripped.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2015", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "pass", "level": "none", "message": { @@ -220,7 +196,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -242,7 +218,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -264,7 +240,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -286,7 +262,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -308,7 +284,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -330,7 +306,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -352,7 +328,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -374,7 +350,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -396,7 +372,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -451,34 +427,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2015", "fullDescription": { @@ -939,6 +887,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2017_15.5.4_PdbStripped.dll" + } + } + } + ], + "message": { + "text": "'Native_x86_VS2017_15.5.4_PdbStripped.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif index eb1fc3c32..e6cacd530 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_ARM_VS2015_DefaultBlankApp.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -364,7 +340,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -386,7 +362,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -408,7 +384,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -430,7 +406,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -452,7 +428,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -474,7 +450,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -529,34 +505,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -1101,6 +1049,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.dll" + } + } + } + ], + "message": { + "text": "'Uwp_ARM_VS2015_DefaultBlankApp.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif index eee3b55ac..238808712 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_ARM_VS2015_DefaultBlankApp.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -268,7 +244,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -290,7 +266,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -312,7 +288,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -334,7 +310,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -356,7 +332,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -378,7 +354,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -400,7 +376,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -455,34 +431,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -943,6 +891,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.exe" + } + } + } + ], + "message": { + "text": "'Uwp_ARM_VS2015_DefaultBlankApp.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index d331414a8..c69b11c5b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_ARM_VS2017_VB.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -460,6 +436,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 18, + "message": { + "id": "Error_Managed", + "arguments": [ + "Uwp_ARM_VS2017_VB.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 19, @@ -652,34 +648,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1122,6 +1090,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index 0ec99b5cb..465618e06 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -436,6 +412,26 @@ } ] }, + { + "ruleId": "BA2004", + "ruleIndex": 17, + "message": { + "id": "Error_Managed", + "arguments": [ + "Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", + "index": 0 + } + } + } + ] + }, { "ruleId": "BA2005", "ruleIndex": 18, @@ -650,34 +646,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1092,6 +1060,34 @@ }, "name": "UseCheckedFunctionsWithGcc" }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, { "id": "BA2005", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif index 9995d0272..b87ba923a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif @@ -4,33 +4,9 @@ "runs": [ { "results": [ - { - "ruleId": "BA2004", - "ruleIndex": 0, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_x64_VS2015_DefaultBlankApp.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 1, + "ruleIndex": 0, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +30,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -364,7 +340,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -386,7 +362,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -408,7 +384,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -430,7 +406,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -452,7 +428,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -474,7 +450,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -504,34 +480,6 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -1101,6 +1049,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.dll" + } + } + } + ], + "message": { + "text": "'Uwp_x64_VS2015_DefaultBlankApp.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif index 4ea322d74..a9a214774 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif @@ -4,33 +4,9 @@ "runs": [ { "results": [ - { - "ruleId": "BA2004", - "ruleIndex": 0, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_x64_VS2015_DefaultBlankApp.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 1, + "ruleIndex": 0, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +30,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -244,7 +220,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -266,7 +242,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -288,7 +264,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -310,7 +286,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -332,7 +308,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -354,7 +330,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -376,7 +352,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -398,7 +374,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -428,34 +404,6 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -941,6 +889,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.exe" + } + } + } + ], + "message": { + "text": "'Uwp_x64_VS2015_DefaultBlankApp.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif index f91cf4755..b3d1bcc0f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_x86_VS2015_DefaultBlankApp.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -340,7 +316,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -362,7 +338,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -384,7 +360,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -406,7 +382,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -428,7 +404,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -450,7 +426,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -472,7 +448,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -527,34 +503,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -1099,6 +1047,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.dll" + } + } + } + ], + "message": { + "text": "'Uwp_x86_VS2015_DefaultBlankApp.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif index 0717a2e0c..af0f95fb0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Uwp_x86_VS2015_DefaultBlankApp.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -244,7 +220,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -266,7 +242,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -288,7 +264,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -310,7 +286,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -332,7 +308,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -354,7 +330,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -376,7 +352,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -398,7 +374,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -453,34 +429,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -941,6 +889,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.exe" + } + } + } + ], + "message": { + "text": "'Uwp_x86_VS2015_DefaultBlankApp.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index f91f60cfd..33050b7e2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -62,7 +62,7 @@ "arguments": [ "Wix_3.11.1_VS2017_Bootstrapper.exe", "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "image appears to be a WiX bootstrapper application" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.exe new file mode 100644 index 0000000000000000000000000000000000000000..0ffd9afd98d6787b740e4f1b31412d5724985e4a GIT binary patch literal 5120 zcmeHK-)|g89sln6M{PHDlaz!eZDD#&p*8XPY+uq#uoM3{Cmh&`lXKkA9&+~f=FZ#f z?OtbguRcJ?6#}Ue4?#kr`~gT*L~4a9s6dDccn#_cJhf8WhYBG?dFT@l4WF6ay*nqt zMB%BZ-}8KDzCY$W-ygFx|bAJ6|HS?yg) z)BQ$Q_j?HX8T}dg#jci1zBgP9Kwz3cdFQqVsAz zM>Nwm5(`y#g=h~t2ECl3?-p3(exg1A`YQ>6-VFFwfPUsaAcm%5js3<*1HT@>Th)ZS7Y?2j++tI#e_|pz;b(zNM&-N{r}_eJXb;GP=^L zbnXU*Xe^z2;sI5+v4!GS7Yt?~sPCsi<7ld%ni|i-$OE*Dsr|(1eWRcLuJH|xzhNlOlNv8*{B6y@ zK*O*wq48^)^J97)npaYP(ThB)SB&zqm;Qv6=i!Axt4s-gNbeYFnUmOUdhHx3%U3-KuT2uqwQ6iK`teYnG_-;0%s4{(|2v zNambzT)xhQbbPNfD-kaGUe&3E!V2yv&U0xCr?FEAzZ;ILXI$j2wWUY$cH650IkAJ= z1&e;8C7jyk9Yytq<+VCy#bW3A&`al*B}BsMwMLubZ(EGfo4(UV?M# z3Wzmm#d5s1Hm|zeRxy)l2fj%7dB>`Gz6=~&CalD8!3((X8$~Xfj?HfqM;YUyEswSX z{J^$>I!Y+%eEB)78f~^8yz}Spj=Vg!czyWkgKz)itug9lhB45?$mqjh-#$f-D3lub z)i+D)hqCX!)JKN#=*WPfk6)tCsSkE7b?|9nHO~3o(w5D28P_(2|AI82cc1>&nL!Wl zl0_VXTJ5t2?QfTj{r(lkrZQ8Lgu{i7RHu%Wb9OZ|Ue07QUScm5*0)Qh`rmS1vR?73<>3 z(j|%SrNk?qb=9heCFzI4<|V-!zAWL3kv_i7M&o#Cm&BF)@^d9!=H0Z+Mx{)H@dc-x z8%-V&-JZtdLG-+8oj2v z0*r1gY>VwKCWd+!-^$c{CE5HB`ZKr;uFVl$?}1Vb*L$)Ut>b3d0A8Yt7!~kBI|sS| zd?tFW(QkV{{5V=ST08OKbZkf6Gl?W-QC{=b$sz$e4&EOeHa)76uT_qanzaV01+IkL zq5yh6s0d!`-2-27JA*GE@u+qOOMk_OVo;|2%TgI*qQl@Cv%}T~);$8P#Pd8XNV2sbjU9fj==m0W<5WT3JoEu&@qXPvtRdoZG2*m^wgDTP z(8p;59|yYZuR|&z?ZiKcn?2KR>Y2%)uQC{DT@QBLF0b#+4>R^my-D}O{xayAwyZMO zpq7rf2Cvm|emjrREAWfqC6hr@agD)Bx1FfM71*uAuE3imse;<8DyH-C8mhu7rX=Tz zQk5h6Ut_zhYq^SbeAFmJ9fPjS-K%{8-lUn$d%3HjOJO&A4a#72L+N=}T*8#&c;V1Iw#euJ7^Lbc@UM z=~Kf)!$UJx{5oSW;mO%_D7=%>-o%Scj@KPq_|mTi%kafZDWNB#}g-L?eIxmlWFGR&YMlIv~bzDj;-HWrqyVqCn5`h2xU<4s{UR2GnLl! zu(srOD6nQsgCqF!A^hZ(RpB)8Vytm_msY0}s|?VwgS*KN)gx+|H@VAPg=f>2EO<@- zDi>)MI`cN(N=ReXawU(0(ncok;7#KC#17wQCfZ4W!puZcp;Jl4KkYy98DP=>=DDXn M@sWHQz&&K(-(w3TEdT%j literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_exe_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..dc5a353d8d827c7dd51fa211474743a1b97fee8b GIT binary patch literal 19968 zcmeHNTWl0n7(QESFVI4_V!2dt!4kQ&dug}O5(VmRtBtG_TTCPy%IxlJS-U$^XJ&!M z2a6>7;3YixfH4@2Vgf{o(U_=^kZ4HsQ4C(t7gQ3B5o-+giTZzYDFfDxq?65ddj8G7 z|GCXM|K;4~+l^(Cimb|M%@+wo*01-)`g?pE{lQ@E{N>SpMpVX_hs3?aN0294Z3zDD z1`lk%T6uPo(_HmH2V)a+)pl<8vf+1c%Hmc8*=_rtIJa`{W|;Vnjf z!O>@TdDG{;XV%d~sp>uRTf@@H-6!f|&;2d;CJ%-8EH?MROK;Wfx*)!mYyR%}ciMNi zCO+L=QSFB9(d{-k75};8NoVx$<`@hqXDNcV*#h>5*ixV%WN4a+8 z+7;mY65;$TvMIh(6%{ourX*ol$mQdzoL7=!ToFfPH6D>ARnCfCBO@E)F+mcB#MGc9 zYT=H-bUvFM6c31l>Rurf?^EOUy37^ma^!lK4k;-oo`^@q zM1Cmlf24b$hx8Tq%gS)`V`P6umhRsd_ILQZR8`C+vZGy^reqR%O;ll&LpDK!l%WB6 zF+HWhKD!2jsey2V1`hdv0yQEkT1HgkmZiN?T6WMzikmfpWl6>yVF69J6EyYkD-&km z+r$IJYbaBL*?1FG-jwHACp^%2Dd_pe))69cD+Gj~f*8-$nh)wxq%`^-`})VDakCzg zMx97(5u&|@GH5&Axb!00VkV$1>g;VXE3CGe}{!v)Bo@Q-t+z<2K)oR zgWyw6bHf9Ozn`u1!dlD&kbU!|set9JuWuF;G7_a5*gP+uJ56l0#gv)Pn!G#vM^#PC zu@%?T{)n8-ib;)5Rn`BXD2YlY$?9$O+cMIV^!N>B1L6SDuKi~4}x%VHx(0h7yb=fB;KiGrkVk}B^jFppO&=vC=y56SC3ic<-ATh{8 zAIlENCcTtSA;!jF7wv0f)npwQKB^){IS6SVahP~E60qLo)q!#N2YcvBlCZ7alq6yY;O$oAO!!EQ-YMhE-kj6^$dJzK5UV-NM1 z2S5W`Yby(G2!cW`bdIsTyV5Xj6!!o;;G;7iYkNAf?gqHyR8c#e)pP8;hUu;*#CU&o z$b+~pWHm1>VwY2ObQ{J!*GJq;+-D1V1Lc(~jNLhKKw3ba63HA_4 zTUUB%0UXh9;)pEL6YT76>yDV+O!Ytgcr{b=c_}@B`@Eg*iwe?Emfj(vax$M2B~4w| z+S=9@ZcC(EgpT&kmT*XDYv~LogDst@v=9o0(jlR!=dkgkR|&<<+|WR*ddF(4?$8^}+3Eo0A+bO_;_0m|u+1_dxi=SG-vg9Zg2I%E{7@#lB6R5^{+Sx#e_*sB>5`J{T}lHRUPBD5)nXr|w^93Ms^3by zjq=#Vu-{^MoDoZip(@@RfeSAr#$jry3AGmy19yN9^~84&FDAa7m{V~)V4UT}8Hj58K_&NUnpYaD|;cB|&Klhe2qRcq{dyBIb`0ugHeW!pC{&BKh z4sZUj`_$OsWqWq)lQ{l+3QHEqU~hM literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.dll new file mode 100644 index 0000000000000000000000000000000000000000..7952d2ace995d1e93b8ecfb80759a25d394c5b95 GIT binary patch literal 4096 zcmeHKTWl0n82+a>%B@^PZXymX7(qJOwoB7`!EJX7ROrR-Qc*W)XLnDx1G6*3%q(<` zk@BF4kp$z5iElm$K4CP1Ccc@sXd3LMM?Pz!kC$HFc1byOd0T4I@KndO^R8Y{ zv$|#3zM2uLTeMWeQWHZ-wP5FjwsPgN?Pb%$eME#E7nQBId(5(F)M6 z?;z@$&%4`P4cxDYG-7_BGC{BTV#-JV2Rp8!aja#(F_NGXjccywW-*h##W3JPEkg@I z4Bl(5Fl`93uQZOvwwlmF5F_dhP37=M&MSa@tD$;It3+q&i4-Q@2Q=3_wu&9x1>N4{ zv%N~$68m)`sztPpNJm>Y8?Gl4_#75$d6j4#{7s>?Bz@Pg@*Yb}B32H!<#3Wr47iLf z`w#ag(7(cS*6lUz4CV|_SN5+XTFR5(l@3}T#KC&tNl)OMObf>s#Q32S^bNE^*;>;; zC5dBnLs><8q1Hf?^n=nsHzoc~;&Fv3yCv?E_>`olXa@9li9eE*cj+Ba25K(LMO3WH z>+)|kZ36C*<6+5oed9IAD)9drd|CtC0GVsbGTI5en%X4pmbgdaeuz>m{$;0}qOlsGQw2k9i}NlAH0;w+s7aB^{I9}*Zs~cE8?%HT?HZdXn&y}{skc$w)IG0_o*J-oMN{mh zf|s>j)5y^NqLJ(Iu`4n~Ur<71iut^rF~uw`ZWl%k&zM8&@jOw;n5C5AhefMoSI>!p z?jD=9lG5G0@b}^75-062qoT9VFvX~FJ;SzUwJOZGZA}>YqO1FNWG94|bq!}O6Mj2} zDK$ofsZYs~x6t;mi=1Trg^alElw2b}c}G^k(XG;~&PdVnje_7cu};P?4L`(9mONh+ zw6c&^4ig8F7O9t(GffJ#%AGbMCQOm#5J}7Wwp*bm3_Wkzo^NEm3aPSAzvTqR}V~z9q<3y`{wdrAO5NN`(LO|Rg}hBm6Uo6 z)~w-a6Qi2Oi!Y}~H$|_!(WuBvmuM>=$5hSw=Uv?yw5`6WtdNyTO}h3;Pl4PLd3v`f zv|*8S;5w5c8x&ewt%~}^c~xzXw6_uMRA_s9uDgAY-W_f2?C#pr8jW^$wd&myk=BW5 zwlk8`yY_UjaN^fuFTW8OS|B7)4D1vVR(+Imjve`h{j}}7ZLl$tx;mu8f}2DLxns+EGdo~rey9s={^uzCRU+CLyrM$U^8q2k zhMW!&F=T4+b~qBlyCL*`I#U}3XB1zKG2lKL!KfcEtwGHDf%gTkF8aLg=3jxGz*fcP zGi(^Z-x1!gVMt)2z^YCz>=<}Q2-vh}f@~?aU23Jk)j{>Z*U5*RjadK}>TbZO0-tWUqZCHlq-wS5oB1Yu9tuX zkFwGaXO5o(QeTH}f^x{4h2Ezq-l1cNwTQS(j6A$gbi56?K8+!}qmXvNosGKk9a?1c0_?hYgH*E4PhO5?sJsSOlw+yv4xVwPi0(J0VOg_b*tZd95%uyz znYvfIger2a=GvQIvHA7tk~%$z+LJlRAi@$d_D^~UdvQ>M{~3PkTwLUT&c8PUe*-t` BZF&Fz literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.pdb b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Fail/Managed_net48_full_sha1.pdb new file mode 100644 index 0000000000000000000000000000000000000000..f0bd65e04f198a8880c5135c0efce19471320db7 GIT binary patch literal 15872 zcmeHNU1%It6rOF>G|f-5wbYpSvy=w3>CWzEx9uiqW87^>sGC|+`yhjHc6K&hGdr`) z?6yWKQY`gN@{mHs7A+!bg;HM>g+LS)v0}lZM5-@76qI5Jl-Q@n^UdtEV@#G}#%?mb z2hQAcfA*Yv&bjmR-Mgurq-%zjEd~;yM02!H2^QYg>|o9MLL{^HK3I@nO`7 z9<&N}^+E*R>z09#T7s~%SdIC7_|0Nq?3YKjI7RrAU%m1>?m)jF#-+yjLbYZALn}vL(Zp_(Vk*a&!tO6*?=!DxB}}L%R0p@d&Bxcr*(>*Xbr*bp zTGtA)Ud+jcV0+lFW;K_5E8Ns>dyp$@uPfgU15}=%h1Np6hh(g|lf<(S98}|wnfU)l zp!K(~Z^~h2UOF5-3yVOA_YmWE_m+ns$B&Q<-7~GtmjsfLYpenE$yC~ewP25Z>*}X% z7zdsfp1oL;&CUSBaa65qA)B1ww2Yc{>8w>uISC z&3M~O=G|fuK>iQaMtr!{>$&>Z8@S7vMmqFAN_9LNz)#G34%|;|9QWs>Sr5Sx1H{&jB5D>rmK4=tC8rK2HK~-B)uOSbqazxPMbnv}7~j?zj77v~urn-$ zgPobI7zszR5wUaIPHsoY*Jo zTfYDNB-@zyZjx71JH~)9{w3mC;!VVBh(W*Xjh26H)hk`sQD=a7ihhA}z&6?kGS34^ z9w!;t5IDPNu-|4#L1 z!e&s72(bO1YD9hc*u?vued8~meBADtApZ>i-{O&$3kaOy|J%L7nY~I8VEDgMbiCgO z{Qs42=3@Xx{>-NHJJYZ9eR5^=$cwY@|H1ITdHC;n{C}8o|6lPx@M9}6@ITHFTZo|X%?-$!hnA&|hRsu6ggs@9ot76BH4YDVC1G<|Qv literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.exe b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_exe_sha256.exe new file mode 100644 index 0000000000000000000000000000000000000000..e9add753487822039f4796fd917a1a8a848badc4 GIT binary patch literal 5120 zcmeHKUu+yl8UOYiyN*lTIM9-&O*>tu&^qZWPB^d~H|H2pPP*>x&Yd^e z+uiQ$xjqn)5q~5ekO~hK2wr%s)FP;;8bK=%0tpF4mHNn2c|n2)`Wo@j@SEA)yK@{& zpif1e^L#VkpZUITzHfHs^U8BCQ6CWD$~mbZF>AqIzwKXj$tc_WH{|ORc>} zI^C~L5)Fbf6jRTA79&G1pi96oWMaQDqX7wI+d&6iwmy3P+eC-eUw2H|;x!1&R%v58rZiFJV zfGOV!nDoR1m}&)hZ-m_SAt-&7J}X^EB+_jKqJ=IN&yLHuqDkK})K3*g^v8Y~y9{YP zVU;rX(uQbE&ph>j%-h&P`3no0)Pg4c+R7P|#`NU$)EPxy2c5onlF@O4G`5#4~Ko%ype^0=}X$K^1+3(NEHLZdY%8Q-VBXrsW&3j5B{TUaT5 z*QlB~NVgz80ysbq0}j#CfQMmA!ZQlaD_BzSSp~nWpb7XOIcolbf^7xA0XRSg-49&` zeUh?(kI=J#qx2l$N%}hAw1S^ga8c2}NZ$m#tSDbm(4rrMa*h4~DCk`}u#-j??yDxZ zFY}qUWAs!yC0a2(v%&4E$D>@nT5q{-m2dN^*fg`JPSfm)Z?{~2j+(;qL)WR%#g=2w zM>s6CR>Y~uYpq7Zthu~PTlAY7j&OF-=7r$Rn%iD?qF&JsIW%qFG{b9ME$e33;L!zK zX#7RLmyxcy;JAE)hr;o_?y8iz=zDdi(F)DzuIwTgR_Fw~neaPsT(#mdcg<}z6MJ>9 zg@}n2?PVlT@)<}ZkYC5^Nb|bOExBtltjG^jdeJc(o-ZQD5-BNFT=F6w`azk8TaLx|u;ZBV zu)~iJ1pL6kfjE*V=u+(}tj0&~I{)cderIm=Tjm?D&HUgdjw{o&!9GS>KPDq15*?Nx zGx+9LD;p2z-urGpY1;AOK}}u3M32djc0KdZmqIgG^}VHSi>pMgZ-)MhLWA6W>U-BU zI=*ilaTO}TPiu6flREahR~XAqW~Ydr*62hoo3GWUEPLFZF>~X&T6SjKte?hg%A7eh zeI`Gd&)T?TVRH(1EPg~KjgA?sOY5DZ`%IFYIo!i}xIX-;4y)*hz%|>eIOIp<8rI=3 z$jXT2-ucCAa+G(`_s}bN4=eI5>S^+x?QNIK#d6#Iz4f&*t@P^ENB$HXU6__TT|8U4 zBJjmjxb2zO%x0@1{8ni3O2`9WRPfCRA75t>oUZH}xQbu9T2YDKU(N{Z8jU0mopkVI zT1@nMo6OS(F-EJ4ez>&F)!|iF59fyM%7;s}+fNcJB=i4=A*0?(hAQePwzC#jQ#~7t zUo9MnogN~l>iphGRCLMN{5SH;cnn@D5WUq0p`^Xlm&0rWFH040i7sPSLWQ;pyaae5 zuGZ-71Mhzj+l_6fKAcbVKy~6(LcmZ|v<)&TgdPX=2Zv6N>f|e-6C_uygKL5+z&9y^ zoDVE+KR@s&e8uYwdI*k(x?r!STlh#cn(X{?RKuL;7^oU8LSGX(3mx~#vZS*R1Y(hRu zr|2{cP2zUz+Sq_Z2#IbCrtrE?b~-`7^jt8ltczqLNql z@6n&EuGYb};8rVy%>)M}1!Q5+qS0CK^Lb{2>^lVpN3K7($|uprQs;5;cmbiHISJQ90jd_m&=58>GwSdY!j< zZf0j@XWoyQ+1aPt5)LS`Du<$WughCnYHw+6v@dnK-FcH|HMBC4EXFL9EF|p2HOT@! z;lG*Sfz`iF8jN!puO6sj?EHAOo!cFcpKo8g;?SgHwjHf(aPD^khR~fLXs+x(u%LJRuivJrM-yLvlQ;Phjc7M8E+P-$VWy8!9e}7c^Ni_cZ zA9wf7%miO$q773%@L1>!z}U0|D8X|vTT3U##L zoOi8kYb2e;&9c(9WIcHyEK9d+s&v*k>r_?jZjbcWMWaf%Jr)&J7-pJX&>^VnK;8^p z)L~Py4njf);SwE8^8*E}M^vI=QS}+tHc27bR68kt#u$b*;lvnIX!5;8SVwTubi|BY zPq=fh+fo&mEARl`^Ue`K|G<|J z#EQ%K@BrfPWDXmw#XNxEC}0Rp1uSoEO|ljtEK$CYO|ap<{RE>erp#nkVq4eRuSUgg zHg_oR^vaQl7>LsIRCV4iN}>`Du!5xe=CIUDw_j4$CiX>9HY=%JTc;ul!LZcfY!lQj zmByaP%2{^y`zwAt^!h!YHSJ%Jll9K-z4zn37S=#@jAfHz&=vC=x?ZQH6WOnnx(N^q z{TX&3EzwFD%Vlf}?4o^bOAc8Fz(-aB$|1= zS`rU{Lbf=m%w6qaynl?9MSpo(1B>=8g@bjj>oeY7!>^tc?U3NvFQ{;VZ*AM*0vHy6EM+3sf+3NkopT%%v&; zS0}xPi%NS$4s_`Sp>RZ0U4d&r^=spq-2EsR_iLff2*fzJm&pW#M=2ab;y@%E6~Ni1)bOlKT$Ql1DinG5mLxL+T4y)x`@!31Uu!Msr?eF zzm3pL*Vx6d-(p}qBW@r-IlMQ57tSYG2~ZpgLb0g?@D9+SfG~q_Jz+Y5OKLp8Kg>*x zpVNI5TE?0fX}asn^)tr<{QrOE_;IZEg0mjy|Ho?dQl~fP|5NAdRE~u8&-tJ9;C~SJ zHUi$ct_3eLT%Q<|%lP$xoeun*|NqbUgR;nIxvI~5)0|W0{O^@dS@6G=M_+vz>|lT7 zVBkTArD@N`;=?^f^%b1|#aG{#esP_N{O?YR{b>1L@Q61N!2jMzm`_ONe`nKmF#$X= mo;M(@4gPly<>wOS5$puc|B@3@Bqb>thY!O&z&((D9{2~?mW{Ol literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.dll b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA2004.EnableSecureSourceCodeHashing/Pass/Managed_net48_full_sha256.dll new file mode 100644 index 0000000000000000000000000000000000000000..9750f5eb5d1af0cb9cf45ed9aa5a8d5a3610b869 GIT binary patch literal 4096 zcmeHKTWl0n82)E_p@0;M6#)$nEhs46Y};*FP_gZ9sTF#myHvzA?ac1k?ZE8JI5P`f zO-%cMi9TUsOiYLmKFNcL30{cC7oSWF515$nh)*WO1bj2ZfZu;+Z*3_?e8hiy{&UWM zJOAZerei11Qv(q-qTRhqbQwLvfW-Gl3t+cC^=&JCx%SG=%gWI!J5zIpr#h~kceR3= z(JagMRb8lV(NYadO-v-!f}IuN4I9?&Dx01hCOWD#(CwRB7Avb=rw(qSp%f<0IlpdMiNw_*|6)m8O)?_0~m0j)}htG z0K5;o!n7gCzS1lj+iFFtg8`zUx~Uxgiuf7Ww-7Z^S|$3hiAZ7M13*V;&qj9eS?CTW zUl~%$me{W|(QqW(8|m#nz=oU11pW*Qb-qK?4u4OebtZk+u<{;Dn243b?L3|&2Lmo+ z=g9HV1o{Qc+gW$Wv~|oGpstLx6RqXRZKapC1aYt)c+wL%C)2|51u}}Ou3H7R!+I6srsjFwG^SZvUSwx1;YVXLxuR*#cyn4$Uq8JtW@n40 zI79_6W4orI(@4?C4*J*^deIk@5PC76*K||VXmPtRZFt5K+Mwr&f^L>lhF>pQCA(Ty z6g2mA%}Pph^TI!jyGxw4>lqcD!-grQh3gr%Rnw|4fbn$A?w@{NMvHL;Fvn1)}+O_n@g z6vAbpa5+pI#nnp{&YC6#dgU%WC32?7aF7(v__kZ2Ck!ob*`9A?yb7tZ(x~MN*LIS^ zJ!53V3U-hp;a2%U{oxq)3B)J#Q&>=LuS0DI7eDCUSb@ zKwn=D*ErVe#%+lo(WpY(!{fuL>dxF(uFi|NQDbnswY|zp7@lKlrE%=x&8(wVIVxmj zs5J4^xu1B%cOo80+JiS>Pml&COOQ`yWrBVxnMhvUdcN`Zli?%pzj0&!&aLRz9Bcew z`nZQ9krr7?JFOLpY0oaY8Ig8{V|!^F3eU#zbDaM4s%cBx`l+-m>*_LLC#%yh<;RNs zy2)deM=PQ7s0Eyvxa}rPb4)X=;7$=j?%cB8-Q6&=JlvHw9|{V;N<>@nye8xN`H(U| z&)>t+H7OH8+`%tOI_H44LsOwR>=p16(Dt!P03CHaN3LH&w3?JFi%?oxsCb@$1&=b) z4`+#=V^Uv(Z-TPOn}y!T*F_BD92F6liIGQhkn5p7>c;{R+-FKPmT73Xkf_DpjaNHT zZ3JI-K%TSbOIZuH%sP+%y$@md%AWDQ*bLi8VK*g8dPjJTb@S1P!l{A$u;y|j1 zD1wGt6W@}Y@0y*UvRT+Iz^;pLkxKRnYjZpkvVN0T!^V0= z)XuNV*n`+6RF&(t)aLT)Ew5cn>I@=!Pv$~Lq$OnTpY#xZ4bbBE7wtovc6atK&2G?!bhp9K#w4UxD5G(9b|zV~JF}g; z+b9+lF{V@~L4{IKSg|D_6%j;4DC9x!!j*j4XIu)m1_@avaCHoLE)e5f_-4*K|jJM0y_?r>bA zU1OWZJkT&80At`mZOPxZ?rmcsUfh9#=N z4vTzTRAWg+7||P~L{cQIU@qR*RGBDw5zyQ0q1*)}Bbr(Zj1k$HUx7|2BO1nk;8g-6 z-3R;-a0M{-$KRDhe=H+i><{FBt=CJZb^b_>FVD^Y7W{jw9q$P6I|ANV dApUOz*1sV@fs&;jXtq>4RZcxXJz%8={shm*hHU@< literal 0 HcmV?d00001 From 5a171d986145d01b4324df56264c37200f4e3103 Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Sun, 24 Jan 2021 11:16:19 -0300 Subject: [PATCH 8/9] addressing pr comments --- .../BA2004.EnableSecureSourceCodeHashing.cs | 39 +++++------------ src/BinaryParsers/BinaryParsers.csproj | 5 --- src/BinaryParsers/ChecksumAlgorithmType.cs | 26 ++++++++++++ .../PEBinary/PortableExecutable/PE.cs | 42 +++++++++++-------- .../PEBinary/ProgramDatabase/Pdb.cs | 11 ++--- 5 files changed, 64 insertions(+), 59 deletions(-) create mode 100644 src/BinaryParsers/ChecksumAlgorithmType.cs diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index c664927ca..f8ea666c5 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -63,36 +63,17 @@ private void AnalyzeManagedAssemblyAndPdb(BinaryAnalyzerContext context) PEBinary target = context.PEBinary(); Pdb di = target.Pdb; - // Checking if it is full pdb - if (di.FileType == PdbFileType.Windows) + if (target.PE.ManagedPdbSourceFileChecksumAlgorithm(di.FileType) != ChecksumAlgorithmType.Sha256) { - if (!target.PE.IsChecksumAlgorithmSecureForFullPdb()) - { - // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. - // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. - // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project - // property with 'SHA256' to enable secure source code hashing. - context.Logger.Log(this, - RuleUtilities.BuildResult(ResultKind.Fail, context, null, - nameof(RuleResources.BA2004_Error_Managed), - context.TargetUri.GetFileName())); - return; - } - } - else - { - if (!target.PE.IsChecksumAlgorithmSecureForPortablePdb()) - { - // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. - // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. - // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project - // property with 'SHA256' to enable secure source code hashing. - context.Logger.Log(this, - RuleUtilities.BuildResult(ResultKind.Fail, context, null, - nameof(RuleResources.BA2004_Error_Managed), - context.TargetUri.GetFileName())); - return; - } + // '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. + // SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. + // Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project + // property with 'SHA256' to enable secure source code hashing. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Fail, context, null, + nameof(RuleResources.BA2004_Error_Managed), + context.TargetUri.GetFileName())); + return; } // '{0}' is a {1} binary which was compiled with a secure (SHA-256) diff --git a/src/BinaryParsers/BinaryParsers.csproj b/src/BinaryParsers/BinaryParsers.csproj index fd93ccb25..51ac93724 100644 --- a/src/BinaryParsers/BinaryParsers.csproj +++ b/src/BinaryParsers/BinaryParsers.csproj @@ -4,11 +4,6 @@ Microsoft.CodeAnalysis.BinaryParsers $(NetStandardVersion) - - - true - - true diff --git a/src/BinaryParsers/ChecksumAlgorithmType.cs b/src/BinaryParsers/ChecksumAlgorithmType.cs new file mode 100644 index 000000000..a4485aa96 --- /dev/null +++ b/src/BinaryParsers/ChecksumAlgorithmType.cs @@ -0,0 +1,26 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +namespace Microsoft.CodeAnalysis.BinaryParsers +{ + /// + /// Checksum Algorithm for managed binary. + /// + public enum ChecksumAlgorithmType + { + /// + /// Unknown format. + /// + Unknown, + + /// + /// SHA1 algorithm. + /// + Sha1, + + /// + /// SHA256 algorithm. + /// + Sha256, + } +} diff --git a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs index 72041ef0e..d37842dc5 100644 --- a/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs +++ b/src/BinaryParsers/PEBinary/PortableExecutable/PE.cs @@ -32,6 +32,8 @@ public class PE : IDisposable private PEReader peReader; internal SafePointer pImage; // pointer to the beginning of the file in memory private readonly MetadataReader metadataReader; + private const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; + private static readonly Guid sha256guid = new Guid(sha256); public PE(string fileName) { @@ -790,42 +792,46 @@ public bool IsWixBinary } } - public bool IsChecksumAlgorithmSecureForPortablePdb() + public ChecksumAlgorithmType ManagedPdbSourceFileChecksumAlgorithm(PdbFileType pdbFileType) { - const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; - var sha256guid = new Guid(sha256); + return pdbFileType == PdbFileType.Windows + ? ChecksumAlgorithmForFullPdb() + : ChecksumAlgorithmForPortablePdb(); + } - if (this.peReader.TryOpenAssociatedPortablePdb( + private ChecksumAlgorithmType ChecksumAlgorithmForPortablePdb() + { + if (!this.peReader.TryOpenAssociatedPortablePdb( this.FileName, filePath => File.Exists(filePath) ? File.OpenRead(filePath) : null, out MetadataReaderProvider pdbProvider, out _)) { - MetadataReader metadataReader = pdbProvider.GetMetadataReader(); - foreach (DocumentHandle document in metadataReader.Documents) - { - Document doc = metadataReader.GetDocument(document); + return ChecksumAlgorithmType.Unknown; + } - Guid hashGuid = metadataReader.GetGuid(doc.HashAlgorithm); + MetadataReader metadataReader = pdbProvider.GetMetadataReader(); + foreach (DocumentHandle document in metadataReader.Documents) + { + Document doc = metadataReader.GetDocument(document); - return hashGuid == sha256guid; - } + Guid hashGuid = metadataReader.GetGuid(doc.HashAlgorithm); + + return hashGuid == sha256guid ? ChecksumAlgorithmType.Sha256 : ChecksumAlgorithmType.Sha1; } - return false; + return ChecksumAlgorithmType.Unknown; } - public bool IsChecksumAlgorithmSecureForFullPdb() + private ChecksumAlgorithmType ChecksumAlgorithmForFullPdb() { - const string sha256 = "8829d00f-11b8-4213-878b-770e8597ac16"; - var sha256guid = new Guid(sha256); string fileName = Path.GetFileName(this.FileName); string extension = Path.GetExtension(fileName); string pdbPath = this.FileName.Replace(fileName, fileName.Replace(extension, ".pdb")); if (!File.Exists(pdbPath)) { - return false; + return ChecksumAlgorithmType.Unknown; } using var pdbStream = new FileStream(pdbPath, FileMode.Open, FileAccess.Read); @@ -840,7 +846,7 @@ public bool IsChecksumAlgorithmSecureForFullPdb() foreach (ISymUnmanagedDocument document in reader.GetDocuments()) { document.GetChecksumAlgorithmId(ref algorithm); - return algorithm == sha256guid; + return algorithm == sha256guid ? ChecksumAlgorithmType.Sha256 : ChecksumAlgorithmType.Sha1; } } finally @@ -848,7 +854,7 @@ public bool IsChecksumAlgorithmSecureForFullPdb() _ = ((ISymUnmanagedDispose)reader).Destroy(); } - return false; + return ChecksumAlgorithmType.Unknown; } } } diff --git a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs index ad7882a4d..eed7fe2e4 100644 --- a/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs +++ b/src/BinaryParsers/PEBinary/ProgramDatabase/Pdb.cs @@ -398,18 +398,15 @@ public string PdbLocation get { string path = this.session.globalScope.symbolsFileName; - if (File.Exists(path)) + if (File.Exists(path) && !Directory.Exists(path)) { return path; } - if (Directory.Exists(path)) + string extension = Path.GetExtension(this.peOrPdbPath); + if (File.Exists(this.peOrPdbPath.Replace(extension, ".pdb"))) { - string extension = Path.GetExtension(this.peOrPdbPath); - if (File.Exists(this.peOrPdbPath.Replace(extension, ".pdb"))) - { - return this.peOrPdbPath.Replace(extension, ".pdb"); - } + return this.peOrPdbPath.Replace(extension, ".pdb"); } return path; From 3c8b34919525eeb2f0515e487fabab0c80b1c672 Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Sun, 24 Jan 2021 11:32:53 -0300 Subject: [PATCH 9/9] Moving from NotApplicable to FailureLevel = Error --- .../BA2004.EnableSecureSourceCodeHashing.cs | 8 -- .../Expected/BinSkim.win-x64.ni.dll.sarif | 2 +- .../Expected/BinSkim.win-x86.ni.dll.sarif | 2 +- .../Expected/Binskim.linux-x64.dll.sarif | 121 +++++++----------- .../Expected/Binskim.win-x64.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x64.dll.sarif | 121 +++++++----------- .../Expected/Binskim.win-x86.RTR.dll.sarif | 2 +- .../Expected/Binskim.win-x86.dll.sarif | 121 +++++++----------- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 121 +++++++----------- .../Expected/ManagedResourcesOnly.dll.sarif | 121 +++++++----------- .../MixedMode_x64_VS2013_NoPdb.exe.sarif | 107 ++++++---------- .../MixedMode_x86_VS2013_MissingPdb.dll.sarif | 105 ++++++--------- 12 files changed, 309 insertions(+), 524 deletions(-) diff --git a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs index f8ea666c5..5fc964f5c 100644 --- a/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs +++ b/src/BinSkim.Rules/PERules/BA2004.EnableSecureSourceCodeHashing.cs @@ -35,14 +35,6 @@ public class EnableSecureSourceCodeHashing : WindowsBinaryAndPdbSkimmerBase, IOp public override AnalysisApplicability CanAnalyzePE(PEBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) { - Pdb di = target.Pdb; - - if (target.PE.IsManaged && di == null) - { - reasonForNotAnalyzing = MetadataConditions.CouldNotLoadPdb; - return AnalysisApplicability.NotApplicableToSpecifiedTarget; - } - reasonForNotAnalyzing = null; return AnalysisApplicability.ApplicableToSpecifiedTarget; } diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 2c3096bb7..60748828d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -38,7 +38,7 @@ "arguments": [ "BinSkim.win-x64.ni.dll", "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "image is a managed IL library (i.e., ahead of time compiled) assembly" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index 71424c657..00096bf51 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -62,7 +62,7 @@ "arguments": [ "BinSkim.win-x86.ni.dll", "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "image is a managed IL library (i.e., ahead of time compiled) assembly" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index a2d8f2d1b..c58554b0b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.linux-x64.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -654,34 +630,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1294,7 +1242,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.linux-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index f453aa1c9..89a865ad3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -38,7 +38,7 @@ "arguments": [ "Binskim.win-x64.RTR.dll", "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "image is a managed IL library (i.e., ahead of time compiled) assembly" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index 2e7536457..e7b0f7b2d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x64.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -654,34 +630,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1294,7 +1242,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x64.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index b01e1a094..43e6ae227 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -62,7 +62,7 @@ "arguments": [ "Binskim.win-x86.RTR.dll", "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" + "image is a managed IL library (i.e., ahead of time compiled) assembly" ] }, "locations": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 070fe7bf3..8599c940f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "Binskim.win-x86.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -650,34 +626,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1290,7 +1238,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll" + } + } + } + ], + "message": { + "text": "'Binskim.win-x86.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index a8fff69ca..58b6243cd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedInteropAssemblyForAtlTestLibrary.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -460,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -482,7 +458,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -504,7 +480,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -526,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -548,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -570,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -650,34 +626,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1290,7 +1238,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll" + } + } + } + ], + "message": { + "text": "'ManagedInteropAssemblyForAtlTestLibrary.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index dce8b1e01..32d50b831 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -52,33 +52,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "ManagedResourcesOnly.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2006", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +222,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +246,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +270,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +294,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +318,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +342,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +366,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -414,7 +390,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +414,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 18, + "ruleIndex": 17, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +438,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +462,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -508,7 +484,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -530,7 +506,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 22, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -552,7 +528,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 23, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -574,7 +550,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 24, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -653,34 +629,6 @@ "equivalentBinScopeRuleReadableName": "ATLVersionCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2006", "fullDescription": { @@ -1293,7 +1241,30 @@ }, "invocations": [ { - "executionSuccessful": true + "toolConfigurationNotifications": [ + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll" + } + } + } + ], + "message": { + "text": "'ManagedResourcesOnly.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + } + ], + "executionSuccessful": false } ], "artifacts": [ diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif index 8801f2be0..e7455252b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif @@ -4,33 +4,9 @@ "runs": [ { "results": [ - { - "ruleId": "BA2004", - "ruleIndex": 0, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "MixedMode_x64_VS2013_NoPdb.exe", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_NoPdb.exe", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 1, + "ruleIndex": 0, "kind": "notApplicable", "level": "none", "message": { @@ -54,7 +30,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -244,7 +220,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -266,7 +242,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -288,7 +264,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -310,7 +286,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -332,7 +308,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -354,7 +330,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -376,7 +352,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -398,7 +374,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -428,34 +404,6 @@ "product": "Microsoft.TestHost", "version": "15.0.0.0", "rules": [ - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -941,6 +889,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_NoPdb.exe" + } + } + } + ], + "message": { + "text": "'MixedMode_x64_VS2013_NoPdb.exe' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif index a407bc46d..2f0da5532 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif @@ -28,33 +28,9 @@ } ] }, - { - "ruleId": "BA2004", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "MixedMode_x86_VS2013_MissingPdb.dll", - "EnableSecureSourceCodeHashing", - "an exception occurred attempting to load its pdb" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_MissingPdb.dll", - "index": 0 - } - } - } - ] - }, { "ruleId": "BA2008", - "ruleIndex": 2, + "ruleIndex": 1, "kind": "notApplicable", "level": "none", "message": { @@ -78,7 +54,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 3, + "ruleIndex": 2, "kind": "notApplicable", "level": "none", "message": { @@ -102,7 +78,7 @@ }, { "ruleId": "BA3001", - "ruleIndex": 4, + "ruleIndex": 3, "kind": "notApplicable", "level": "none", "message": { @@ -126,7 +102,7 @@ }, { "ruleId": "BA3002", - "ruleIndex": 5, + "ruleIndex": 4, "kind": "notApplicable", "level": "none", "message": { @@ -150,7 +126,7 @@ }, { "ruleId": "BA3003", - "ruleIndex": 6, + "ruleIndex": 5, "kind": "notApplicable", "level": "none", "message": { @@ -174,7 +150,7 @@ }, { "ruleId": "BA3010", - "ruleIndex": 7, + "ruleIndex": 6, "kind": "notApplicable", "level": "none", "message": { @@ -198,7 +174,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 8, + "ruleIndex": 7, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +198,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 9, + "ruleIndex": 8, "kind": "pass", "level": "none", "message": { @@ -244,7 +220,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 10, + "ruleIndex": 9, "kind": "pass", "level": "none", "message": { @@ -266,7 +242,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 11, + "ruleIndex": 10, "kind": "pass", "level": "none", "message": { @@ -288,7 +264,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 12, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -310,7 +286,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 13, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -332,7 +308,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 14, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -354,7 +330,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 15, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -376,7 +352,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 16, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -398,7 +374,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 17, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -453,34 +429,6 @@ "equivalentBinScopeRuleReadableName": "FourGbCheck" } }, - { - "id": "BA2004", - "fullDescription": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md", - "help": { - "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." - }, - "messageStrings": { - "Pass": { - "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." - }, - "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "Error_Managed": { - "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." - }, - "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" - }, - "NotApplicable_InvalidMetadata": { - "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." - } - }, - "name": "EnableSecureSourceCodeHashing" - }, { "id": "BA2008", "fullDescription": { @@ -941,6 +889,27 @@ "id": "BA2002" } }, + { + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_MissingPdb.dll" + } + } + } + ], + "message": { + "text": "'MixedMode_x86_VS2013_MissingPdb.dll' was not evaluated for check 'EnableSecureSourceCodeHashing' because its PDB could not be loaded." + }, + "level": "error", + "descriptor": { + "id": "ERR997.ExceptionLoadingPdb" + }, + "associatedRule": { + "id": "BA2004" + } + }, { "locations": [ {