From d036ab22ef5a1fa82aaf796f31ae7cd4da38a842 Mon Sep 17 00:00:00 2001 From: Shaopeng <81775155+shaopeng-gh@users.noreply.github.com> Date: Tue, 1 Jun 2021 14:31:47 -0700 Subject: [PATCH 1/4] BA3006.EnableNonExecutableStack --- .../BA3006.EnableNonExecutableStack.cs | 78 + src/BinSkim.Rules/RuleIds.cs | 1 + src/BinSkim.Rules/RuleResources.Designer.cs | 27 + src/BinSkim.Rules/RuleResources.resx | 9 + src/BinSkim.Sdk/MetadataConditions.cs | 1 + src/BinSkim.Sdk/SdkResources.Designer.cs | 9 + src/BinSkim.Sdk/SdkResources.resx | 3 + .../ELFBinary/ELF/ELFSegmentType.cs | 47 + src/BinaryParsers/ELFBinary/ELFBinary.cs | 8 + .../Expected/BinSkim.win-x64.ni.dll.sarif | 68 +- .../Expected/BinSkim.win-x86.ni.dll.sarif | 70 +- .../Expected/Binskim.linux-x64.dll.sarif | 62 +- .../Expected/Binskim.win-x64.RTR.dll.sarif | 68 +- .../Expected/Binskim.win-x64.dll.sarif | 62 +- .../Expected/Binskim.win-x86.RTR.dll.sarif | 70 +- .../Expected/Binskim.win-x86.dll.sarif | 66 +- ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 64 +- ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 64 +- ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 68 +- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 64 +- ...otNetCore_win-x64_VS2019_Default.dll.sarif | 64 +- ...otNetCore_win-x64_VS2019_Default.exe.sarif | 72 +- ...otNetCore_win-x86_VS2019_Default.dll.sarif | 68 +- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 66 +- .../Expected/ManagedResourcesOnly.dll.sarif | 62 +- ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 70 +- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 68 +- .../Managed_x64_VS2015_FSharp.exe.sarif | 66 +- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 68 +- .../Managed_x86_VS2015_FSharp.dll.sarif | 68 +- .../MixedMode_x64_VS2013_Default.dll.sarif | 88 +- .../MixedMode_x64_VS2013_NoPdb.exe.sarif | 70 +- .../MixedMode_x64_VS2015_Default.exe.sarif | 90 +- .../MixedMode_x86_VS2013_Default.exe.sarif | 92 +- .../MixedMode_x86_VS2013_MissingPdb.dll.sarif | 70 +- .../MixedMode_x86_VS2015_Default.exe.sarif | 92 +- ...ve_ARM_VS2015_CvtresResourceOnly.dll.sarif | 64 +- .../Native_x64_VS2013_Default.dll.sarif | 88 +- ...ve_x64_VS2015_CvtresResourceOnly.dll.sarif | 64 +- .../Native_x64_VS2015_Default.dll.sarif | 90 +- ...ve_x64_VS2019_Atl_NoPdbGenerated.dll.sarif | 70 +- .../Native_x86_VS2013_Default.exe.sarif | 90 +- .../Native_x86_VS2013_PdbMissing.exe.sarif | 70 +- .../Native_x86_VS2013_ResourceOnly.dll.sarif | 66 +- ...Native_x86_VS2015_AtlProxyStubPS.dll.sarif | 92 +- ...ve_x86_VS2015_CvtresResourceOnly.dll.sarif | 64 +- .../Native_x86_VS2015_Default.exe.sarif | 92 +- .../Native_x86_VS2015_Default_Debug.dll.sarif | 92 +- ...ve_x86_VS2017_15.5.4_PdbStripped.dll.sarif | 72 +- .../Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif | 86 +- .../Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif | 66 +- .../Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif | 68 +- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 66 +- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 68 +- .../Uwp_x64_VS2015_DefaultBlankApp.dll.sarif | 66 +- .../Uwp_x64_VS2015_DefaultBlankApp.exe.sarif | 70 +- .../Expected/Uwp_x64_VS2017_Cpp.dll.sarif | 88 +- .../Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif | 88 +- .../Uwp_x86_VS2015_DefaultBlankApp.dll.sarif | 68 +- .../Uwp_x86_VS2015_DefaultBlankApp.exe.sarif | 70 +- .../Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif | 88 +- .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 70 +- .../Expected/clang.default_compilation.sarif | 48 +- .../Expected/clang.execstack.sarif | 47 +- .../Expected/clang.execstack.so.sarif | 47 +- .../Expected/clang.immediate_binding.sarif | 48 +- .../Expected/clang.no_immediate_binding.sarif | 48 +- .../Expected/clang.no_stack_protector.sarif | 48 +- .../Expected/clang.noexecstack.sarif | 48 +- .../Expected/clang.noexecstack.so.sarif | 48 +- .../Expected/clang.non_pie_executable.sarif | 48 +- .../Expected/clang.object_file.o.sarif | 52 +- .../Expected/clang.pie_executable.sarif | 48 +- .../Expected/clang.relocationsro.sarif | 48 +- .../Expected/clang.relocationsrw.sarif | 48 +- .../Expected/clang.shared_library.so.sarif | 48 +- .../Expected/clang.stack_protector.sarif | 48 +- .../Expected/clang.stack_protector.so.sarif | 48 +- .../Expected/gcc.default_compilation.sarif | 50 +- .../Expected/gcc.execstack.sarif | 49 +- .../Expected/gcc.execstack.so.sarif | 49 +- .../Expected/gcc.fortified.sarif | 50 +- ...oworld.4.o.no-stack-clash-protection.sarif | 50 +- ...oworld.5.o.no-stack-clash-protection.sarif | 50 +- .../gcc.helloworld.execstack.5.o.sarif | 1534 ++++++++++++++++ .../Expected/gcc.helloworld.nodwarf.sarif | 50 +- .../gcc.helloworld.noexecstack.5.o.sarif | 1536 +++++++++++++++++ .../Expected/gcc.immediate_binding.sarif | 50 +- .../gcc.no_fortification_required.sarif | 50 +- .../Expected/gcc.no_immediate_binding.sarif | 50 +- .../Expected/gcc.no_stack_protector.sarif | 50 +- .../Expected/gcc.noexecstack.sarif | 50 +- .../Expected/gcc.noexecstack.so.sarif | 50 +- .../Expected/gcc.non_pie_executable.sarif | 50 +- .../Expected/gcc.object_file.o.sarif | 52 +- .../Expected/gcc.pie_executable.sarif | 50 +- .../Expected/gcc.relocationsro.sarif | 50 +- .../Expected/gcc.relocationsrw.sarif | 50 +- .../Expected/gcc.requiredsymbol.4.o.sarif | 50 +- .../Expected/gcc.requiredsymbol.5.o.sarif | 50 +- .../Expected/gcc.shared_library.so.sarif | 50 +- .../Expected/gcc.stack_protector.sarif | 50 +- .../Expected/gcc.stack_protector.so.sarif | 50 +- .../Expected/gcc.unfortified.sarif | 50 +- .../gcc.helloworld.execstack.5.o | Bin 0 -> 17656 bytes .../gcc.helloworld.noexecstack.5.o | Bin 0 -> 17656 bytes .../Fail/clang.helloworld.execstack.4.o | Bin 0 -> 17072 bytes .../Fail/gcc.helloworld.execstack.5.o | Bin 0 -> 17656 bytes .../Pass/clang.helloworld.noexecstack.4.o | Bin 0 -> 17072 bytes .../Pass/gcc.helloworld.noexecstack.5.o | Bin 0 -> 17656 bytes .../RuleTests.cs | 18 + 111 files changed, 8293 insertions(+), 824 deletions(-) create mode 100644 src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs create mode 100644 src/BinaryParsers/ELFBinary/ELF/ELFSegmentType.cs create mode 100644 src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif create mode 100644 src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif create mode 100644 src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o create mode 100644 src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Fail/clang.helloworld.execstack.4.o create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Fail/gcc.helloworld.execstack.5.o create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Pass/clang.helloworld.noexecstack.4.o create mode 100644 src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Pass/gcc.helloworld.noexecstack.5.o diff --git a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs new file mode 100644 index 000000000..3d9136ad1 --- /dev/null +++ b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs @@ -0,0 +1,78 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Collections.Generic; +using System.Composition; + +using ELFSharp.ELF.Segments; + +using Microsoft.CodeAnalysis.BinaryParsers; +using Microsoft.CodeAnalysis.BinaryParsers.ELF; +using Microsoft.CodeAnalysis.IL.Sdk; +using Microsoft.CodeAnalysis.Sarif; +using Microsoft.CodeAnalysis.Sarif.Driver; + +namespace Microsoft.CodeAnalysis.IL.Rules +{ + [Export(typeof(Skimmer)), Export(typeof(ReportingDescriptor))] + public class EnableNonExecutableStack : ELFBinarySkimmerBase + { + /// + /// BA3006 + /// + public override string Id => RuleIds.EnableNonExecutableStack; + + /// + /// This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. + /// An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, + /// writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. + /// One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections + /// of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this. + /// + public override MultiformatMessageString FullDescription => + new MultiformatMessageString { Text = RuleResources.BA3006_EnableNonExecutableStack_Description }; + + protected override IEnumerable MessageResourceNames => new string[] { + nameof(RuleResources.BA3006_Pass), + nameof(RuleResources.BA3006_Error), + nameof(RuleResources.NotApplicable_InvalidMetadata) + }; + + public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) + { + reasonForNotAnalyzing = null; + + if (target.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) == null) + { + reasonForNotAnalyzing = MetadataConditions.ElfNotContainSegment; + return AnalysisApplicability.NotApplicableToSpecifiedTarget; + } + + reasonForNotAnalyzing = null; + return AnalysisApplicability.ApplicableToSpecifiedTarget; + } + + public override void Analyze(BinaryAnalyzerContext context) + { + ELFBinary elfBinary = context.ELFBinary(); + + if ((elfBinary.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) & SegmentFlags.Execute) != 0) + { + // The non-executable stack is not enabled from this binary, + // so '{0}' can have vulnerability of execution of the data written on the stack. + // Ensure you are compiling with the compiler flags '-z noexecstack' to address this. + context.Logger.Log(this, + RuleUtilities.BuildResult(FailureLevel.Error, context, null, + nameof(RuleResources.BA3006_Error), + context.TargetUri.GetFileName())); + return; + } + + // The enable non-executable stack flag was present, so '{0}' is protected. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Pass, context, null, + nameof(RuleResources.BA3006_Pass), + context.TargetUri.GetFileName())); + } + } +} diff --git a/src/BinSkim.Rules/RuleIds.cs b/src/BinSkim.Rules/RuleIds.cs index e2f3d6824..3076b034d 100644 --- a/src/BinSkim.Rules/RuleIds.cs +++ b/src/BinSkim.Rules/RuleIds.cs @@ -48,6 +48,7 @@ internal static class RuleIds public const string EnableStackProtector = "BA3003"; public const string GenerateRequiredSymbolFormat = "BA3004"; public const string EnableStackClashProtection = "BA3005"; + public const string EnableNonExecutableStack = "BA3006"; // Skipping some check namespace (BA3004-3009) for future checks public const string EnableReadOnlyRelocations = "BA3010"; diff --git a/src/BinSkim.Rules/RuleResources.Designer.cs b/src/BinSkim.Rules/RuleResources.Designer.cs index f15ea81d5..4bdb419ab 100644 --- a/src/BinSkim.Rules/RuleResources.Designer.cs +++ b/src/BinSkim.Rules/RuleResources.Designer.cs @@ -1103,6 +1103,33 @@ internal static string BA3005_Pass { } } + /// + /// Looks up a localized string similar to This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use [rest of string was truncated]";. + /// + internal static string BA3006_EnableNonExecutableStack_Description { + get { + return ResourceManager.GetString("BA3006_EnableNonExecutableStack_Description", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this.. + /// + internal static string BA3006_Error { + get { + return ResourceManager.GetString("BA3006_Error", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The enable non-executable stack flag was present, so '{0}' is protected.. + /// + internal static string BA3006_Pass { + get { + return ResourceManager.GetString("BA3006_Pass", resourceCulture); + } + } + /// /// Looks up a localized string similar to This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this.. /// diff --git a/src/BinSkim.Rules/RuleResources.resx b/src/BinSkim.Rules/RuleResources.resx index 7b12de7ff..bc6b74d25 100644 --- a/src/BinSkim.Rules/RuleResources.resx +++ b/src/BinSkim.Rules/RuleResources.resx @@ -526,4 +526,13 @@ Modules triggering this check were: The Stack Clash Protection was present, so '{0}' is protected. + + This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this. + + + The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this. + + + The enable non-executable stack flag was present, so '{0}' is protected. + \ No newline at end of file diff --git a/src/BinSkim.Sdk/MetadataConditions.cs b/src/BinSkim.Sdk/MetadataConditions.cs index a6cc0e047..6f873fa50 100644 --- a/src/BinSkim.Sdk/MetadataConditions.cs +++ b/src/BinSkim.Sdk/MetadataConditions.cs @@ -15,6 +15,7 @@ public static class MetadataConditions public static readonly string ImageIsBootBinary = SdkResources.MetadataCondition_ImageIsBootBinary; public static readonly string ImageIs64BitBinary = SdkResources.MetadataCondition_ImageIs64BitBinary; public static readonly string ElfNotBuiltWithGcc = SdkResources.MetadataCondition_ElfNotBuiltWithGCC; + public static readonly string ElfNotContainSegment = SdkResources.MetadataCondition_ElfNotContainSegment; public static readonly string ImageIsILOnlyAssembly = SdkResources.MetadataCondition_ImageIsILOnlyAssembly; public static readonly string ImageIsNot32BitBinary = SdkResources.MetadataCondition_ImageIsNot32BitBinary; public static readonly string ImageIsNot64BitBinary = SdkResources.MetadataCondition_ImageIsNot64BitBinary; diff --git a/src/BinSkim.Sdk/SdkResources.Designer.cs b/src/BinSkim.Sdk/SdkResources.Designer.cs index c0ea0112c..7ba23df35 100644 --- a/src/BinSkim.Sdk/SdkResources.Designer.cs +++ b/src/BinSkim.Sdk/SdkResources.Designer.cs @@ -123,6 +123,15 @@ internal static string MetadataCondition_ElfNotBuiltWithGccV8OrLater { } } + /// + /// Looks up a localized string similar to ELF does not contain the segment to be analyzed. + /// + internal static string MetadataCondition_ElfNotContainSegment { + get { + return ResourceManager.GetString("MetadataCondition_ElfNotContainSegment", resourceCulture); + } + } + /// /// Looks up a localized string similar to image was compiled with a toolset version ({0}) that is not sufficiently recent ({1} or newer) to provide relevant settings. /// diff --git a/src/BinSkim.Sdk/SdkResources.resx b/src/BinSkim.Sdk/SdkResources.resx index 25255d0e3..dea398191 100644 --- a/src/BinSkim.Sdk/SdkResources.resx +++ b/src/BinSkim.Sdk/SdkResources.resx @@ -228,4 +228,7 @@ not compiled with gcc v8 or later + + ELF does not contain the segment to be analyzed + \ No newline at end of file diff --git a/src/BinaryParsers/ELFBinary/ELF/ELFSegmentType.cs b/src/BinaryParsers/ELFBinary/ELF/ELFSegmentType.cs new file mode 100644 index 000000000..e1ee5d946 --- /dev/null +++ b/src/BinaryParsers/ELFBinary/ELF/ELFSegmentType.cs @@ -0,0 +1,47 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +namespace Microsoft.CodeAnalysis.BinaryParsers.ELF +{ + public enum ELFSegmentType : uint + { + PT_NULL = 0, // Unused segment. + PT_LOAD = 1, // Loadable segment. + PT_DYNAMIC = 2, // Dynamic linking information. + PT_INTERP = 3, // Interpreter pathname. + PT_NOTE = 4, // Auxiliary information. + PT_SHLIB = 5, // Reserved. + PT_PHDR = 6, // The program header table itself. + PT_TLS = 7, // The thread-local storage template. + PT_LOOS = 0x60000000, // Lowest operating system-specific pt entry type. + PT_HIOS = 0x6fffffff, // Highest operating system-specific pt entry type. + PT_LOPROC = 0x70000000, // Lowest processor-specific program hdr entry type. + PT_HIPROC = 0x7fffffff, // Highest processor-specific program hdr entry type. + + // x86-64 program header types. + // These all contain stack unwind tables. + PT_GNU_EH_FRAME = 0x6474e550, + PT_SUNW_EH_FRAME = 0x6474e550, + PT_SUNW_UNWIND = 0x6464e550, + + PT_GNU_STACK = 0x6474e551, // Indicates stack executability. + PT_GNU_RELRO = 0x6474e552, // Read-only after relocation. + PT_GNU_PROPERTY = 0x6474e553, // .note.gnu.property notes sections. + + PT_OPENBSD_RANDOMIZE = 0x65a3dbe6, // Fill with random data. + PT_OPENBSD_WXNEEDED = 0x65a3dbe7, // Program does W^X violations. + PT_OPENBSD_BOOTDATA = 0x65a41be6, // Section for boot arguments. + + // ARM program header types. + PT_ARM_ARCHEXT = 0x70000000, // Platform architecture compatibility info + // These all contain stack unwind tables. + PT_ARM_EXIDX = 0x70000001, + PT_ARM_UNWIND = 0x70000001, + + // MIPS program header types. + PT_MIPS_REGINFO = 0x70000000, // Register usage information. + PT_MIPS_RTPROC = 0x70000001, // Runtime procedure table. + PT_MIPS_OPTIONS = 0x70000002, // Options segment. + PT_MIPS_ABIFLAGS = 0x70000003, // Abiflags segment. + } +} diff --git a/src/BinaryParsers/ELFBinary/ELFBinary.cs b/src/BinaryParsers/ELFBinary/ELFBinary.cs index 4eeda4f98..bcc89df4e 100644 --- a/src/BinaryParsers/ELFBinary/ELFBinary.cs +++ b/src/BinaryParsers/ELFBinary/ELFBinary.cs @@ -11,6 +11,7 @@ using ELFSharp.ELF.Segments; using Microsoft.CodeAnalysis.BinaryParsers.Dwarf; +using Microsoft.CodeAnalysis.BinaryParsers.ELF; namespace Microsoft.CodeAnalysis.BinaryParsers { @@ -113,6 +114,13 @@ public DwarfLanguage GetLanguage() return language.Key == DwarfAttribute.None ? DwarfLanguage.Unknown : ((DwarfLanguage)(language.Value.Constant)); } + public SegmentFlags? GetSegmentFlags(ELFSegmentType segmentType) + { + ISegment segment = ELF.Segments?.FirstOrDefault(s => (uint)s.Type == (uint)segmentType); + + return segment == null ? null : (SegmentFlags?)segment.Flags; + } + /// /// Gets the public symbols. /// diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 10a16f476..37b104323 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "BinSkim.win-x64.ni.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/BinSkim.win-x64.ni.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -642,7 +666,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -664,7 +688,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1169,6 +1193,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index 3ca4f3c9d..4fb870fc0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -413,10 +413,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 17, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "BinSkim.win-x86.ni.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/BinSkim.win-x86.ni.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 18, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -438,7 +462,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -508,7 +532,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -530,7 +554,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1139,6 +1163,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index 2a979ec8b..f03e7e6f8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.linux-x64.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.linux-x64.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -580,7 +604,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -602,7 +626,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -624,7 +648,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1207,6 +1231,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index 4a10b62c2..24ed355d8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.win-x64.RTR.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.RTR.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -642,7 +666,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -664,7 +688,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1169,6 +1193,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index 7dd66678b..f29808b13 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.win-x64.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x64.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -580,7 +604,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -602,7 +626,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -624,7 +648,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1207,6 +1231,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index c04c1ac1c..ecc187c54 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -413,10 +413,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 17, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.win-x86.RTR.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.RTR.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 18, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -438,7 +462,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -508,7 +532,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -530,7 +554,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1139,6 +1163,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 169f56f56..ae5acfbcd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Binskim.win-x86.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Binskim.win-x86.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -642,7 +666,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1150,6 +1174,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index 7d786e099..642698055 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -581,7 +605,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -603,7 +627,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -625,7 +649,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -647,7 +671,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -669,7 +693,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1230,6 +1254,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index 8956174a7..df36f43aa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_RTR_win-x64_VS2019_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -581,7 +605,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -603,7 +627,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -625,7 +649,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -647,7 +671,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -669,7 +693,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1230,6 +1254,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index 4718c9139..faf8a1fdc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_RTR_win-x86_VS2019_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_RTR_win-x86_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -533,7 +557,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -555,7 +579,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -577,7 +601,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -599,7 +623,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -621,7 +645,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -643,7 +667,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -665,7 +689,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1173,6 +1197,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 38951617c..567a4806f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_linux-x64_VS2019_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_linux-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -581,7 +605,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -603,7 +627,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -625,7 +649,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -647,7 +671,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -669,7 +693,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1230,6 +1254,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index b0eddac11..fa5d2c23a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_win-x64_VS2019_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -581,7 +605,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -603,7 +627,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -625,7 +649,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -647,7 +671,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -669,7 +693,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1230,6 +1254,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index e984d664e..630be6a99 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -389,10 +389,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 16, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_win-x64_VS2019_Default.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x64_VS2019_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 17, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -414,7 +438,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "notApplicable", "level": "none", "message": { @@ -438,7 +462,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -484,7 +508,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -506,7 +530,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -528,7 +552,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -550,7 +574,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -572,7 +596,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -594,7 +618,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -616,7 +640,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -638,7 +662,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -660,7 +684,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1106,6 +1130,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index b9cd1f5a1..a01d6e03f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "DotNetCore_win-x86_VS2019_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/DotNetCore_win-x86_VS2019_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -533,7 +557,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -555,7 +579,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -577,7 +601,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -599,7 +623,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -621,7 +645,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -643,7 +667,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -665,7 +689,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1173,6 +1197,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index 5449476ef..1f17a7187 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "ManagedInteropAssemblyForAtlTestLibrary.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedInteropAssemblyForAtlTestLibrary.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -642,7 +666,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1150,6 +1174,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index 6ce5f480f..b1247d31a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -485,10 +485,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 20, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "ManagedResourcesOnly.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/ManagedResourcesOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 21, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -510,7 +534,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -580,7 +604,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -602,7 +626,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -624,7 +648,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -1206,6 +1230,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index 75dc941ba..410ea4ead 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -413,10 +413,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 17, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 18, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -438,7 +462,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 20, + "ruleIndex": 21, "message": { "id": "Error_Managed", "arguments": [ @@ -506,7 +530,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -528,7 +552,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -550,7 +574,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 23, + "ruleIndex": 24, "level": "error", "message": { "id": "Error_NoHighEntropyVA", @@ -571,7 +595,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -593,7 +617,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -615,7 +639,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -637,7 +661,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -659,7 +683,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1136,6 +1160,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index 3ce0130f9..a9d17df8a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_AnyCPU_VS2017_Prefer32Bit.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 21, + "ruleIndex": 22, "message": { "id": "Error_Managed", "arguments": [ @@ -530,7 +554,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1170,6 +1194,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index d1811d71d..8070a4c51 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -461,10 +461,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 19, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_x64_VS2015_FSharp.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x64_VS2015_FSharp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -486,7 +510,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 22, + "ruleIndex": 23, "message": { "id": "Error_Managed", "arguments": [ @@ -554,7 +578,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -642,7 +666,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -664,7 +688,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1194,6 +1218,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index 996e4449e..fa0243f68 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_x86_VS2013_Wpf.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2013_Wpf.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 21, + "ruleIndex": 22, "message": { "id": "Error_Managed", "arguments": [ @@ -530,7 +554,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1170,6 +1194,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index 31f1f382e..51434efa2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Managed_x86_VS2015_FSharp.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Managed_x86_VS2015_FSharp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 21, + "ruleIndex": 22, "message": { "id": "Error_Managed", "arguments": [ @@ -530,7 +554,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1170,6 +1194,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index f6c1c8074..2637b236d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -221,10 +221,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 9, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x64_VS2013_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -246,7 +270,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -338,7 +362,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 14, + "ruleIndex": 15, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -359,7 +383,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 14, + "ruleIndex": 15, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -381,7 +405,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -403,7 +427,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -426,7 +450,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -449,7 +473,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -471,7 +495,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -493,7 +517,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -515,7 +539,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -537,7 +561,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -559,7 +583,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -581,7 +605,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -603,7 +627,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -625,7 +649,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -649,7 +673,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -671,7 +695,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -923,6 +947,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif index 77e28d9aa..68d0e07b6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x64_VS2013_NoPdb.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2013_NoPdb.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -336,7 +360,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -358,7 +382,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -380,7 +404,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -402,7 +426,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -424,7 +448,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -446,7 +470,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -671,6 +695,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index 922e50bbc..486deb82e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x64_VS2015_Default.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x64_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -335,7 +359,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -357,7 +381,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -402,7 +426,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -425,7 +449,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -447,7 +471,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -469,7 +493,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -491,7 +515,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -513,7 +537,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -535,7 +559,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -557,7 +581,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -579,7 +603,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -601,7 +625,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -623,7 +647,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -647,7 +671,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -669,7 +693,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -890,6 +914,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index f487693cf..86968d9ec 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -173,10 +173,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 7, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x86_VS2013_Default.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -198,7 +222,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -268,7 +292,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -289,7 +313,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -311,7 +335,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -333,7 +357,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -356,7 +380,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -401,7 +425,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -423,7 +447,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -445,7 +469,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -467,7 +491,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -489,7 +513,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -511,7 +535,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 21, + "ruleIndex": 22, "level": "error", "message": { "id": "Error_NeitherHighEntropyVANorLargeAddressAware", @@ -532,7 +556,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -666,7 +690,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -859,6 +883,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif index cb44d8bad..6dc251149 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x86_VS2013_MissingPdb.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2013_MissingPdb.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -336,7 +360,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -358,7 +382,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -380,7 +404,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -402,7 +426,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -424,7 +448,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -446,7 +470,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -674,6 +698,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index a278ed20e..4040d6595 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -173,10 +173,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 7, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "MixedMode_x86_VS2015_Default.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/MixedMode_x86_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -198,7 +222,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -268,7 +292,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -289,7 +313,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -311,7 +335,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -333,7 +357,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -356,7 +380,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -401,7 +425,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -423,7 +447,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -445,7 +469,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -467,7 +491,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -489,7 +513,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -511,7 +535,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 21, + "ruleIndex": 22, "level": "error", "message": { "id": "Error_NeitherHighEntropyVANorLargeAddressAware", @@ -532,7 +556,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -666,7 +690,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -859,6 +883,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif index cb2123ba6..bd9d11118 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif @@ -461,10 +461,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 19, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_ARM_VS2015_CvtresResourceOnly.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_ARM_VS2015_CvtresResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -486,7 +510,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -556,7 +580,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -578,7 +602,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -600,7 +624,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -622,7 +646,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1180,6 +1204,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif index b988288be..1da222857 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif @@ -221,10 +221,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 9, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x64_VS2013_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2013_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -246,7 +270,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -338,7 +362,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 14, + "ruleIndex": 15, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -359,7 +383,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 14, + "ruleIndex": 15, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -381,7 +405,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -403,7 +427,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -426,7 +450,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -449,7 +473,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -471,7 +495,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -493,7 +517,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -515,7 +539,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -537,7 +561,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -559,7 +583,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -581,7 +605,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -603,7 +627,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -625,7 +649,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -649,7 +673,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -671,7 +695,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -923,6 +947,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif index c1693efef..9965a8195 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif @@ -461,10 +461,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 19, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x64_VS2015_CvtresResourceOnly.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2015_CvtresResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -486,7 +510,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -556,7 +580,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -578,7 +602,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -600,7 +624,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -622,7 +646,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1180,6 +1204,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif index e80065ed0..efdad29de 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x64_VS2015_Default.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2015_Default.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -335,7 +359,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -357,7 +381,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -402,7 +426,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -425,7 +449,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error", @@ -446,7 +470,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -468,7 +492,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -490,7 +514,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -512,7 +536,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -556,7 +580,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -578,7 +602,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -600,7 +624,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "level": "error", "message": { "id": "Error", @@ -622,7 +646,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -668,7 +692,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -892,6 +916,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif index dcc67a7fe..46b8caef9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x64_VS2019_Atl_NoPdbGenerated.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x64_VS2019_Atl_NoPdbGenerated.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 13, + "ruleIndex": 14, "level": "error", "message": { "id": "Error", @@ -335,7 +359,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -357,7 +381,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -401,7 +425,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -423,7 +447,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -445,7 +469,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -673,6 +697,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif index f8a78b6cb..35b57cb13 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2013_Default.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 12, + "ruleIndex": 13, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -313,7 +337,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 12, + "ruleIndex": 13, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -335,7 +359,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -357,7 +381,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -380,7 +404,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -403,7 +427,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -425,7 +449,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -447,7 +471,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -469,7 +493,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -491,7 +515,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -513,7 +537,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -535,7 +559,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -557,7 +581,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 23, + "ruleIndex": 24, "level": "error", "message": { "id": "Error", @@ -579,7 +603,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -601,7 +625,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "level": "error", "message": { "id": "Error", @@ -623,7 +647,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -647,7 +671,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -669,7 +693,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -893,6 +917,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif index c84962595..86802d5f3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2013_PdbMissing.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_PdbMissing.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -336,7 +360,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -358,7 +382,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -380,7 +404,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 16, + "ruleIndex": 17, "level": "error", "message": { "id": "Error", @@ -402,7 +426,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -424,7 +448,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "level": "error", "message": { "id": "Error", @@ -446,7 +470,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -674,6 +698,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif index b9efe4fe5..a2c076737 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif @@ -461,10 +461,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 19, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2013_ResourceOnly.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2013_ResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -486,7 +510,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -557,7 +581,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -579,7 +603,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -601,7 +625,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -623,7 +647,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -645,7 +669,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -667,7 +691,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1203,6 +1227,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif index 3a1ad1e59..6809a6910 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif @@ -173,10 +173,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 7, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2015_AtlProxyStubPS.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_AtlProxyStubPS.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -198,7 +222,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -268,7 +292,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -289,7 +313,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -311,7 +335,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -333,7 +357,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -356,7 +380,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 14, + "ruleIndex": 15, "level": "error", "message": { "id": "Error_InsufficientWarningLevel", @@ -380,7 +404,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 15, + "ruleIndex": 16, "level": "error", "message": { "id": "Error", @@ -401,7 +425,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -423,7 +447,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -445,7 +469,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -467,7 +491,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -489,7 +513,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -511,7 +535,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -533,7 +557,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -555,7 +579,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -577,7 +601,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -599,7 +623,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -621,7 +645,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -645,7 +669,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -667,7 +691,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -863,6 +887,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif index cbf7b5048..5a3b966eb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif @@ -461,10 +461,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 19, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2015_CvtresResourceOnly.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_CvtresResourceOnly.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -486,7 +510,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -556,7 +580,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -578,7 +602,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -600,7 +624,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -622,7 +646,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1180,6 +1204,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif index deaf2706d..08bbb4284 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif @@ -173,10 +173,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 7, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2015_Default.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_Default.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -198,7 +222,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -268,7 +292,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -289,7 +313,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -311,7 +335,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -333,7 +357,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -356,7 +380,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 15, + "ruleIndex": 16, "level": "error", "message": { "id": "Error", @@ -400,7 +424,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -422,7 +446,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -444,7 +468,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -466,7 +490,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -488,7 +512,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 23, + "ruleIndex": 24, "level": "error", "message": { "id": "Error", @@ -576,7 +600,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "level": "error", "message": { "id": "Error", @@ -620,7 +644,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -666,7 +690,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -862,6 +886,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif index 8a26d5056..35a6544cf 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif @@ -173,10 +173,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 7, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2015_Default_Debug.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2015_Default_Debug.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -198,7 +222,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -268,7 +292,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -289,7 +313,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 11, + "ruleIndex": 12, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -311,7 +335,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -333,7 +357,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -356,7 +380,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -379,7 +403,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 15, + "ruleIndex": 16, "level": "error", "message": { "id": "Error", @@ -400,7 +424,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -422,7 +446,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -444,7 +468,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -466,7 +490,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -488,7 +512,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -532,7 +556,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -554,7 +578,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 23, + "ruleIndex": 24, "level": "error", "message": { "id": "Error", @@ -576,7 +600,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 25, + "ruleIndex": 26, "level": "error", "message": { "id": "Error", @@ -620,7 +644,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -644,7 +668,7 @@ }, { "ruleId": "BA2024", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -666,7 +690,7 @@ }, { "ruleId": "BA2025", - "ruleIndex": 28, + "ruleIndex": 29, "message": { "id": "Warning", "arguments": [ @@ -862,6 +886,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif index 38a618900..aef7a649f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif @@ -173,10 +173,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 7, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Native_x86_VS2017_15.5.4_PdbStripped.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Native_x86_VS2017_15.5.4_PdbStripped.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -198,7 +222,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 8, + "ruleIndex": 9, "kind": "notApplicable", "level": "none", "message": { @@ -222,7 +246,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "pass", "level": "none", "message": { @@ -268,7 +292,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -290,7 +314,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -312,7 +336,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -334,7 +358,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -356,7 +380,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -378,7 +402,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -400,7 +424,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -422,7 +446,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -444,7 +468,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -644,6 +668,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif index dab7190b7..670521a79 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif @@ -245,10 +245,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 10, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM64_VS2019_Cpp.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM64_VS2019_Cpp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 11, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -270,7 +294,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "notApplicable", "level": "none", "message": { @@ -318,7 +342,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -340,7 +364,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -362,7 +386,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 15, + "ruleIndex": 16, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -383,7 +407,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 15, + "ruleIndex": 16, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -405,7 +429,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -427,7 +451,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -450,7 +474,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -473,7 +497,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 19, + "ruleIndex": 20, "level": "error", "message": { "id": "Error", @@ -494,7 +518,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -516,7 +540,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -538,7 +562,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -560,7 +584,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -582,7 +606,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -604,7 +628,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -626,7 +650,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -648,7 +672,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -670,7 +694,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -951,6 +975,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif index b1ee8447d..b98d27f00 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif @@ -317,10 +317,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 13, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM_VS2015_DefaultBlankApp.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 14, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -342,7 +366,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -412,7 +436,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -434,7 +458,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -456,7 +480,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -478,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -500,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -522,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -896,6 +920,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif index 45df2daad..9b9277638 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif @@ -221,10 +221,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 9, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM_VS2015_DefaultBlankApp.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2015_DefaultBlankApp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -246,7 +270,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -338,7 +362,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -360,7 +384,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -382,7 +406,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -404,7 +428,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -426,7 +450,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -448,7 +472,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -704,6 +728,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index 0cde2d5c9..a6fbb18a9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -461,10 +461,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 19, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_ARM_VS2017_VB.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_ARM_VS2017_VB.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -486,7 +510,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "notApplicable", "level": "none", "message": { @@ -534,7 +558,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 22, + "ruleIndex": 23, "message": { "id": "Error_Managed", "arguments": [ @@ -554,7 +578,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -576,7 +600,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -598,7 +622,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +644,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -642,7 +666,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -664,7 +688,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1200,6 +1224,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index d3cd629e4..6f89561bb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -437,10 +437,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 18, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -462,7 +486,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "notApplicable", "level": "none", "message": { @@ -510,7 +534,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 21, + "ruleIndex": 22, "message": { "id": "Error_Managed", "arguments": [ @@ -530,7 +554,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1170,6 +1194,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif index 32902ea3a..6bbe8ea10 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif @@ -317,10 +317,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 13, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x64_VS2015_DefaultBlankApp.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 14, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -342,7 +366,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "notApplicable", "level": "none", "message": { @@ -390,7 +414,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -412,7 +436,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -434,7 +458,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -456,7 +480,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -478,7 +502,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -500,7 +524,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -522,7 +546,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -896,6 +920,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif index d172d910c..a64ae4d7f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x64_VS2015_DefaultBlankApp.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2015_DefaultBlankApp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -336,7 +360,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -358,7 +382,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -380,7 +404,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -402,7 +426,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -424,7 +448,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -446,7 +470,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -671,6 +695,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif index 08eb94f42..dde795898 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif @@ -221,10 +221,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 9, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x64_VS2017_Cpp.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2017_Cpp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -246,7 +270,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -337,7 +361,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -359,7 +383,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -381,7 +405,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -404,7 +428,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -427,7 +451,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error", @@ -448,7 +472,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -470,7 +494,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -492,7 +516,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -514,7 +538,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -536,7 +560,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -580,7 +604,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -602,7 +626,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -624,7 +648,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -668,7 +692,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -921,6 +945,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif index a2b217373..74b4da1ae 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif @@ -221,10 +221,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 9, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x64_VS2019_Cpp_DirectX12.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x64_VS2019_Cpp_DirectX12.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -246,7 +270,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2001", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -338,7 +362,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 14, + "ruleIndex": 15, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -359,7 +383,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 14, + "ruleIndex": 15, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -381,7 +405,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -403,7 +427,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -426,7 +450,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -449,7 +473,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 18, + "ruleIndex": 19, "level": "error", "message": { "id": "Error", @@ -470,7 +494,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -492,7 +516,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -514,7 +538,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -536,7 +560,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -580,7 +604,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -602,7 +626,7 @@ }, { "ruleId": "BA2015", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -624,7 +648,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -668,7 +692,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -918,6 +942,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif index fb0aa365d..33c97dbb6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif @@ -293,10 +293,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 12, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x86_VS2015_DefaultBlankApp.dll", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.dll", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 13, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -318,7 +342,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "notApplicable", "level": "none", "message": { @@ -342,7 +366,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "notApplicable", "level": "none", "message": { @@ -366,7 +390,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -388,7 +412,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -410,7 +434,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -432,7 +456,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -454,7 +478,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -476,7 +500,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -498,7 +522,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -520,7 +544,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "notApplicable", "level": "none", "message": { @@ -866,6 +890,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif index d8b6da3ef..54d2da0f7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif @@ -197,10 +197,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 8, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x86_VS2015_DefaultBlankApp.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2015_DefaultBlankApp.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -222,7 +246,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 9, + "ruleIndex": 10, "kind": "notApplicable", "level": "none", "message": { @@ -246,7 +270,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "pass", "level": "none", "message": { @@ -292,7 +316,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -314,7 +338,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 13, + "ruleIndex": 14, "kind": "pass", "level": "none", "message": { @@ -336,7 +360,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -358,7 +382,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -380,7 +404,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -402,7 +426,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 17, + "ruleIndex": 18, "kind": "pass", "level": "none", "message": { @@ -424,7 +448,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -446,7 +470,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -674,6 +698,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif index e7fd1bb8d..7881d20e2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif @@ -221,10 +221,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 9, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Uwp_x86_VS2017_Cpp_DirectX11.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Uwp_x86_VS2017_Cpp_DirectX11.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -246,7 +270,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 10, + "ruleIndex": 11, "kind": "notApplicable", "level": "none", "message": { @@ -270,7 +294,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 11, + "ruleIndex": 12, "kind": "notApplicable", "level": "none", "message": { @@ -294,7 +318,7 @@ }, { "ruleId": "BA2002", - "ruleIndex": 12, + "ruleIndex": 13, "kind": "pass", "level": "none", "message": { @@ -316,7 +340,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "message": { "id": "Warning_NativeWithInsecureStaticLibraryCompilands", "arguments": [ @@ -337,7 +361,7 @@ }, { "ruleId": "BA2004", - "ruleIndex": 13, + "ruleIndex": 14, "level": "error", "message": { "id": "Error_NativeWithInsecureDirectCompilands", @@ -359,7 +383,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 14, + "ruleIndex": 15, "kind": "pass", "level": "none", "message": { @@ -381,7 +405,7 @@ }, { "ruleId": "BA2006", - "ruleIndex": 15, + "ruleIndex": 16, "kind": "pass", "level": "none", "message": { @@ -404,7 +428,7 @@ }, { "ruleId": "BA2007", - "ruleIndex": 16, + "ruleIndex": 17, "kind": "pass", "level": "none", "message": { @@ -427,7 +451,7 @@ }, { "ruleId": "BA2008", - "ruleIndex": 17, + "ruleIndex": 18, "level": "error", "message": { "id": "Error", @@ -448,7 +472,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "pass", "level": "none", "message": { @@ -470,7 +494,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "pass", "level": "none", "message": { @@ -492,7 +516,7 @@ }, { "ruleId": "BA2011", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -514,7 +538,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -536,7 +560,7 @@ }, { "ruleId": "BA2013", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -558,7 +582,7 @@ }, { "ruleId": "BA2014", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -580,7 +604,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -602,7 +626,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -624,7 +648,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -646,7 +670,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -668,7 +692,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -921,6 +945,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index 2f4d100d3..383348127 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -413,10 +413,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 17, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "Wix_3.11.1_VS2017_Bootstrapper.exe", + "EnableNonExecutableStack", + "image is not an ELF binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Wix_3.11.1_VS2017_Bootstrapper.exe", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 18, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -438,7 +462,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 18, + "ruleIndex": 19, "kind": "notApplicable", "level": "none", "message": { @@ -462,7 +486,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 19, + "ruleIndex": 20, "kind": "notApplicable", "level": "none", "message": { @@ -486,7 +510,7 @@ }, { "ruleId": "BA2005", - "ruleIndex": 20, + "ruleIndex": 21, "kind": "pass", "level": "none", "message": { @@ -508,7 +532,7 @@ }, { "ruleId": "BA2009", - "ruleIndex": 21, + "ruleIndex": 22, "kind": "pass", "level": "none", "message": { @@ -530,7 +554,7 @@ }, { "ruleId": "BA2010", - "ruleIndex": 22, + "ruleIndex": 23, "kind": "pass", "level": "none", "message": { @@ -552,7 +576,7 @@ }, { "ruleId": "BA2012", - "ruleIndex": 23, + "ruleIndex": 24, "kind": "pass", "level": "none", "message": { @@ -574,7 +598,7 @@ }, { "ruleId": "BA2016", - "ruleIndex": 24, + "ruleIndex": 25, "kind": "pass", "level": "none", "message": { @@ -596,7 +620,7 @@ }, { "ruleId": "BA2018", - "ruleIndex": 25, + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -618,7 +642,7 @@ }, { "ruleId": "BA2019", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -640,7 +664,7 @@ }, { "ruleId": "BA2021", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -662,7 +686,7 @@ }, { "ruleId": "BA2022", - "ruleIndex": 28, + "ruleIndex": 29, "kind": "notApplicable", "level": "none", "message": { @@ -1139,6 +1163,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif index eec6a578b..d787c7271 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,8 +643,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.default_compilation" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.default_compilation", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1398,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif index 5cbb53cb4..f6d2722a0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif @@ -620,8 +620,29 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.execstack" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.execstack", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -643,7 +664,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1375,6 +1396,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif index a03ff1395..899e31b42 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif @@ -621,8 +621,29 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.execstack.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.execstack.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 27, "kind": "pass", "level": "none", "message": { @@ -644,7 +665,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1397,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif index 89251f76c..846b1f830 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,7 +643,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, "kind": "pass", "level": "none", @@ -663,6 +663,28 @@ } } ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.immediate_binding" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.immediate_binding", + "index": 0 + } + } + } + ] } ], "tool": { @@ -1377,6 +1399,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif index 850b07b00..c98b8ba91 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,8 +643,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.no_immediate_binding" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.no_immediate_binding", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1398,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif index b0586af53..27cd03e54 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,8 +643,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.no_stack_protector" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.no_stack_protector", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1398,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif index 48b2d2def..f6324a07f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,8 +643,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.noexecstack" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.noexecstack", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1398,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif index a4c493771..747cee5ae 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif @@ -622,7 +622,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -644,8 +644,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.noexecstack.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.noexecstack.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1377,6 +1399,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif index 96d071288..1cb6882fe 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,8 +643,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.non_pie_executable" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.non_pie_executable", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1398,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif index 0a245274a..220392a7f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif @@ -605,10 +605,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "clang.object_file.o", + "EnableNonExecutableStack", + "ELF does not contain the segment to be analyzed" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.object_file.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 26, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -630,7 +654,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -654,7 +678,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1361,6 +1385,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif index 336df7039..b81a535c9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif @@ -622,7 +622,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -644,8 +644,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.pie_executable" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.pie_executable", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1377,6 +1399,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif index 6bcc46f9d..1438db1d4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif @@ -621,7 +621,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -643,8 +643,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.relocationsro" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.relocationsro", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1376,6 +1398,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif index c4c896e99..8609088f8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif @@ -621,8 +621,30 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.relocationsrw" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.relocationsrw", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -643,7 +665,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1375,6 +1397,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif index 1c830b650..fc8e6875e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif @@ -622,7 +622,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -644,8 +644,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.shared_library.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.shared_library.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1377,6 +1399,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif index 5ff7e829d..1d3288eb4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif @@ -622,7 +622,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -644,8 +644,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.stack_protector" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.stack_protector", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1377,6 +1399,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif index 0c30e836a..556c3140c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif @@ -623,7 +623,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -645,8 +645,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "clang.stack_protector.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/clang.stack_protector.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1378,6 +1400,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif index de81f85af..3dce0cf40 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.default_compilation" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.default_compilation", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif index 4d3cdd285..8d6f0a310 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif @@ -597,8 +597,29 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "gcc.execstack" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.execstack", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -620,7 +641,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 26, + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -641,7 +662,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1345,6 +1366,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif index b38da6403..64812321c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif @@ -598,8 +598,29 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "gcc.execstack.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.execstack.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 26, "kind": "pass", "level": "none", "message": { @@ -621,7 +642,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 26, + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +663,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1367,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif index 95cfe004f..21f1fcad4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.fortified" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.fortified", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -1347,6 +1369,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif index c61b9a27d..eec6dc345 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif @@ -617,7 +617,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -639,7 +639,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, "kind": "pass", "level": "none", @@ -661,10 +661,32 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3011", "ruleIndex": 28, "kind": "pass", "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.4.o.no-stack-clash-protection" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.4.o.no-stack-clash-protection", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 29, + "kind": "pass", + "level": "none", "message": { "id": "Pass_NoCheckableFunctions", "arguments": [ @@ -1389,6 +1411,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif index 3f840b5ec..25860f421 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif @@ -618,7 +618,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -640,7 +640,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, "kind": "pass", "level": "none", @@ -662,10 +662,32 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3011", "ruleIndex": 28, "kind": "pass", "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.5.o.no-stack-clash-protection" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.5.o.no-stack-clash-protection", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 29, + "kind": "pass", + "level": "none", "message": { "id": "Pass_NoCheckableFunctions", "arguments": [ @@ -1390,6 +1412,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif new file mode 100644 index 000000000..afdd7f7ba --- /dev/null +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif @@ -0,0 +1,1534 @@ +{ + "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", + "version": "2.1.0", + "runs": [ + { + "results": [ + { + "ruleId": "BA2001", + "ruleIndex": 0, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "LoadImageAboveFourGigabyteAddress", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2002", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotIncorporateVulnerableDependencies", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2004", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableSecureSourceCodeHashing", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotShipVulnerableBinaries", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 4, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "BuildWithSecureTools", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2007", + "ruleIndex": 5, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableCriticalCompilerWarnings", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 6, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableControlFlowGuard", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2009", + "ruleIndex": 7, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableAddressSpaceLayoutRandomization", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotMarkImportsSectionAsExecutable", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2011", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableStackProtection", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2012", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotModifyStackProtectionCookie", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2013", + "ruleIndex": 11, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "InitializeStackProtection", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2014", + "ruleIndex": 12, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotDisableStackProtectionForFunctions", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2015", + "ruleIndex": 13, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableHighEntropyVirtualAddresses", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2016", + "ruleIndex": 14, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "MarkImageAsNXCompatible", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2018", + "ruleIndex": 15, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableSafeSEH", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2019", + "ruleIndex": 16, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotMarkWritableSectionsAsShared", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2021", + "ruleIndex": 17, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "DoNotMarkWritableSectionsAsExecutable", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2022", + "ruleIndex": 18, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "SignSecurely", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2024", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableSpectreMitigations", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2025", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.execstack.5.o", + "EnableShadowStack", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3001", + "ruleIndex": 21, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass_Executable", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3002", + "ruleIndex": 22, + "level": "error", + "message": { + "id": "Error_StackExec", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3003", + "ruleIndex": 23, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3004", + "ruleIndex": 24, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "5", + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3005", + "ruleIndex": 25, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3006", + "ruleIndex": 26, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 29, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass_NoCheckableFunctions", + "arguments": [ + "gcc.helloworld.execstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o", + "index": 0 + } + } + } + ] + } + ], + "tool": { + "driver": { + "name": "testhost", + "version": "15.0.0.0", + "rules": [ + { + "id": "BA2001", + "fullDescription": { + "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2001LoadImageAboveFourGigabyteAddress", + "help": { + "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a 64-bit image with a base address that is >= 4 gigabytes, increasing the effectiveness of Address Space Layout Randomization (which helps prevent attackers from executing security-sensitive code in well-known locations)." + }, + "Error": { + "text": "'{0}' is a 64-bit image with a preferred base address below the 4GB boundary. Having a preferred base address below this boundary triggers a compatibility mode in Address Space Layout Randomization (ASLR) on recent versions of Windows that reduces the number of locations to which ASLR may relocate the binary. This reduces the effectiveness of ASLR at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "LoadImageAboveFourGigabyteAddress", + "properties": { + "equivalentBinScopeRuleReadableName": "FourGbCheck" + } + }, + { + "id": "BA2002", + "fullDescription": { + "text": "Binaries should not take dependencies on code with known security vulnerabilities." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2002DoNotIncorporateVulnerableDependencies", + "help": { + "text": "Binaries should not take dependencies on code with known security vulnerabilities." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' does not incorporate any known vulnerable dependencies, as configured by current policy." + }, + "Error": { + "text": "'{0}' was built with a version of {1} which is subject to the following issues: {2}. To resolve this, {3}. The source files that triggered this were: {4}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotIncorporateVulnerableDependencies", + "properties": { + "equivalentBinScopeRuleReadableName": "ATLVersionCheck" + } + }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2004EnableSecureSourceCodeHashing", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, + { + "id": "BA2005", + "fullDescription": { + "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2005DoNotShipVulnerableBinaries", + "help": { + "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is not known to be an obsolete binary that is vulnerable to one or more security problems." + }, + "Error": { + "text": "'{0}' appears to be an obsolete library (version {1}) for which there are known security vulnerabilities. To resolve this issue, obtain a version of {0} that is newer than version {2}. If this binary is not in fact {0}, ignore this warning." + }, + "Error_CouldNotParseVersion": { + "text": "Version information for '{0}' could not be parsed. The binary therefore could not be verified not to be an obsolete binary that is known to be vulnerable to one or more security problems." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotShipVulnerableBinaries", + "properties": { + "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" + } + }, + { + "id": "BA2006", + "fullDescription": { + "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2006BuildWithSecureTools", + "help": { + "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks." + }, + "messageStrings": { + "Error": { + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + }, + "Error_BadModule": { + "text": "built with {0} compiler version {1} (Front end version {2})" + }, + "Pass": { + "text": "All linked modules of '{0}' satisfy configured policy (observed compilers: {1})." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "BuildWithSecureTools", + "properties": { + "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" + } + }, + { + "id": "BA2007", + "fullDescription": { + "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2007EnableCriticalCompilerWarnings", + "help": { + "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." + }, + "Error_WarningsDisabled": { + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + }, + "Error_InsufficientWarningLevel": { + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + }, + "Error_UnknownModuleLanguage": { + "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableCriticalCompilerWarnings", + "properties": { + "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" + } + }, + { + "id": "BA2008", + "fullDescription": { + "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard", + "help": { + "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' enables the control flow guard mitigation. As a result, the operating system will force an application to close if an attacker is able to redirect execution in the component to an unexpected location." + }, + "Error": { + "text": "'{0}' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + }, + "NotApplicable_UnsupportedKernelModeVersion": { + "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." + } + }, + "name": "EnableControlFlowGuard", + "properties": { + "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" + } + }, + { + "id": "BA2009", + "fullDescription": { + "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2009EnableAddressSpaceLayoutRandomization", + "help": { + "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is properly compiled to enable Address Space Layout Randomization, reducing an attacker's ability to exploit code in well-known locations." + }, + "Error_NotDynamicBase": { + "text": "'{0}' is not marked as DYNAMICBASE. This means that the binary is not eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. To resolve this issue, configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later." + }, + "Error_RelocsStripped": { + "text": "'{0}' is marked as DYNAMICBASE but relocation data has been stripped from the image, preventing address space layout randomization. " + }, + "Error_WinCENoRelocationSection": { + "text": "'{0}' is a Windows CE image but does not contain any relocation data, preventing Address Space Layout Randomization." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableAddressSpaceLayoutRandomization", + "properties": { + "equivalentBinScopeRuleReadableName": "DBCheck" + } + }, + { + "id": "BA2010", + "fullDescription": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2010DoNotMarkImportsSectionAsExecutable", + "help": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' does not have an imports section that is marked as executable, helping to prevent the exploitation of code vulnerabilities." + }, + "Error": { + "text": "'{0}' has the imports section marked executable. Because the loader will always mark the imports section as writable, it is important to mark this section as non-executable, so that an attacker cannot place shellcode here. To resolve this issue, ensure that your program does not mark the imports section as executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkImportsSectionAsExecutable", + "properties": { + "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" + } + }, + { + "id": "BA2011", + "fullDescription": { + "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2011EnableStackProtection", + "help": { + "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature enabled for all modules, making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. " + }, + "Error": { + "text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature disabled in one or more modules. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that your code is compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. The affected modules were: {1}" + }, + "Error_UnknownModuleLanguage": { + "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the stack protector buffer security features. The language could not be identified for the following modules: {1}." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableStackProtection", + "properties": { + "equivalentBinScopeRuleReadableName": "GSCheck" + } + }, + { + "id": "BA2012", + "fullDescription": { + "text": "Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2012DoNotModifyStackProtectionCookie", + "help": { + "text": "Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the buffer security feature that properly preserves the stack protecter cookie. This has the effect of enabling a significant increase in entropy provided by the operating system over that produced by the C runtime start-up code." + }, + "Pass_NoLoadConfig": { + "text": "'{0}' is C or C++binary that does not contain a load config table, which indicates either that it was compiled and linked with a version of the compiler that precedes stack protection features or is a binary (such as an ngen'ed assembly) that is not subject to relevant security issues." + }, + "Error": { + "text": "'{0}' is a C or C++ binary that interferes with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the magic statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. NOTE: the modified cookie value detected was: {1}" + }, + "Error_CouldNotLocateCookie": { + "text": "'{0}' is a C or C++binary that enables the stack protection feature but the security cookie could not be located. The binary may be corrupted." + }, + "Warning_InvalidSecurityCookieOffset": { + "text": "'{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotModifyStackProtectionCookie", + "properties": { + "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" + } + }, + { + "id": "BA2013", + "fullDescription": { + "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2013InitializeStackProtection", + "help": { + "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the buffer security feature that properly initializes the stack protecter. This has the effect of increasing the effectiveness of the feature and reducing spurious detections." + }, + "Pass_NoCode": { + "text": "'{0}' is a C or C++ binary that is not required to initialize the stack protection, as it does not contain executable code." + }, + "NotApplicable_FeatureNotEnabled": { + "text": "'{0}' is a C or C++ binary that does not enable the stack protection buffer security feature. It is therefore not required to initialize the stack protector." + }, + "Error": { + "text": "'{0}' is a C or C++ binary that does not initialize the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "InitializeStackProtection", + "properties": { + "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" + } + }, + { + "id": "BA2014", + "fullDescription": { + "text": "Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2014DoNotDisableStackProtectionForFunctions", + "help": { + "text": "Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature enabled which does not disable protection for any individual functions (via __declspec(safebuffers), making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities." + }, + "Error": { + "text": "'{0}' is a C or C++ binary built with function(s) ({1}) that disable the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, is disallowed by SDL policy. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotDisableStackProtectionForFunctions", + "properties": { + "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" + } + }, + { + "id": "BA2015", + "fullDescription": { + "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible. High entropy allows ASLR to be more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tool chain to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. Binaries must also be compiled as /LARGEADDRESSAWARE in order to enable high entropy ASLR." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2015EnableHighEntropyVirtualAddresses", + "help": { + "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible. High entropy allows ASLR to be more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tool chain to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. Binaries must also be compiled as /LARGEADDRESSAWARE in order to enable high entropy ASLR." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is high entropy ASLR compatible, reducing an attacker's ability to exploit code in well-known locations." + }, + "Error_NoHighEntropyVA": { + "text": "'{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. (This image was determined to have been properly compiled as /LARGEADDRESSAWARE.)" + }, + "Error_NoLargeAddressAware": { + "text": "'{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible by supplying /LARGEADDRESSAWARE to the C or C++ linker command line. (This image was determined to have been properly compiled as /HIGHENTROPYVA.)" + }, + "Error_NeitherHighEntropyVANorLargeAddressAware": { + "text": "'{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA as well as /LARGEADDRESSAWARE to the C or C++ linker command line." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableHighEntropyVirtualAddresses", + "properties": { + "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" + } + }, + { + "id": "BA2016", + "fullDescription": { + "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code. The NXCompat bit, also known as \"Data Execution Prevention\" (DEP) or \"Execute Disable\" (XD), triggers a processor security feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit (because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment). Ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2016MarkImageAsNXCompatible", + "help": { + "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code. The NXCompat bit, also known as \"Data Execution Prevention\" (DEP) or \"Execute Disable\" (XD), triggers a processor security feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit (because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment). Ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is marked as NX compatible, helping to prevent attackers from executing code that is injected into data segments." + }, + "Error": { + "text": "'{0}' is not marked NX compatible. The NXCompat bit, also known as \"Data Execution Prevention\" (DEP) or \"Execute Disable\" (XD), is a processor feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit, because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment. To resolve this issue, ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "MarkImageAsNXCompatible", + "properties": { + "equivalentBinScopeRuleReadableName": "NXCheck" + } + }, + { + "id": "BA2018", + "fullDescription": { + "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues. SafeSEH makes it more difficult to exploit vulnerabilities that permit overwriting SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2018EnableSafeSEH", + "help": { + "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues. SafeSEH makes it more difficult to exploit vulnerabilities that permit overwriting SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is an x86 binary that enables SafeSEH, a mitigation that verifies SEH exception jump targets are defined as exception handlers in the program (and not shellcode)." + }, + "Pass_NoSEH": { + "text": "'{0}' is an x86 binary that does not use SEH, making it an invalid target for exploits that attempt to replace SEH jump targets with attacker-controlled shellcode." + }, + "Error": { + "text": "'{0}' is an x86 binary which {1}, indicating that it does not enable the SafeSEH mitigation. SafeSEH makes it more difficult to exploit memory corruption vulnerabilities that can overwrite SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSafeSEH", + "properties": { + "equivalentBinScopeRuleReadableName": "SafeSEHCheck" + } + }, + { + "id": "BA2019", + "fullDescription": { + "text": "Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2019DoNotMarkWritableSectionsAsShared", + "help": { + "text": "Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' contains no data or code sections marked as both shared and writable, helping to prevent the exploitation of code vulnerabilities." + }, + "Error": { + "text": "'{0}' contains one or more code or data sections ({1}) which are marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkWritableSectionsAsShared", + "properties": { + "equivalentBinScopeRuleReadableName": "SharedSectionCheck" + } + }, + { + "id": "BA2021", + "fullDescription": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2021DoNotMarkWritableSectionsAsExecutable", + "help": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' contains no data or code sections marked as both shared and executable, helping to prevent the exploitation of code vulnerabilities." + }, + "Error": { + "text": "'{0}' contains PE section(s) ({1}) that are both writable and executable. Writable and executable memory segments make it easier for an attacker to exploit memory corruption vulnerabilities, because it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Enabling incremental linking via the /INCREMENTAL argument (the default for Microsoft Visual Studio debug build) can also result in a writable and executable section named 'textbss'. For this case, disable incremental linking (or analyze an alternate build configuration that disables this feature) to resolve the problem." + }, + "Error_UnexpectedSectionAligment": { + "text": "'{0}' has a section alignment ({1}) that is smaller than its page size ({2})." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkWritableSectionsAsExecutable", + "properties": { + "equivalentBinScopeRuleReadableName": "WXCheck" + } + }, + { + "id": "BA2022", + "fullDescription": { + "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms. This rule invokes WinTrustVerify to validate that binary hash, signing and public key algorithms are secure and, where configurable, that key sizes meet acceptable size thresholds." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2022SignSecurely", + "help": { + "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms. This rule invokes WinTrustVerify to validate that binary hash, signing and public key algorithms are secure and, where configurable, that key sizes meet acceptable size thresholds." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' appears to be signed with secure cryptographic algorithms. WinTrustVerify successfully validated the binary but did not attempt to validate certificate chaining or that the root certificate is trusted. The following digitial signature algorithms were detected: {1}" + }, + "Error_BadSigningAlgorithm": { + "text": "'{0}' was signed exclusively with algorithms that WinTrustVerify has flagged as insecure. {1}" + }, + "Error_DidNotVerify": { + "text": "'{0}' signing was flagged as insecure by WinTrustVerify with error code '{1}' ({2})" + }, + "Error_WinTrustVerifyApiError": { + "text": "'{0}' signing could not be completely verified because '{1}' failed with error code: '{2}'." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "SignSecurely" + }, + { + "id": "BA2024", + "fullDescription": { + "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations", + "help": { + "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." + }, + "messageStrings": { + "Warning": { + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + }, + "Warning_OptimizationsDisabled": { + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + }, + "Warning_SpectreMitigationNotEnabled": { + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + }, + "Warning_SpectreMitigationExplicitlyDisabled": { + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + }, + "Pass": { + "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSpectreMitigations" + }, + { + "id": "BA2025", + "fullDescription": { + "text": "Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack", + "help": { + "text": "Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation." + }, + "Warning": { + "text": "'{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableShadowStack" + }, + { + "id": "BA3001", + "fullDescription": { + "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3001EnablePositionIndependentExecutable", + "help": { + "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc." + }, + "messageStrings": { + "Pass_Executable": { + "text": "PIE enabled on executable '{0}'." + }, + "Pass_Library": { + "text": "'{0}' is a shared object library rather than an executable, and is automatically position independent." + }, + "Error": { + "text": "PIE disabled on executable '{0}'. This means the code section will always be loaded to the same address, even if ASLR is enabled in the Linux kernel. To address this, ensure you are compiling with '-fpie' when using clang/gcc." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnablePositionIndependentExecutable" + }, + { + "id": "BA3002", + "fullDescription": { + "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3002DoNotMarkStackAsExecutable", + "help": { + "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable." + }, + "messageStrings": { + "Pass": { + "text": "GNU_STACK segment marked as non-executable on '{0}'." + }, + "Error_StackExec": { + "text": "Stack on '{0}' is executable, which means that an attacker could use it as a place to store attack shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable." + }, + "Error_NoStackSeg": { + "text": "GNU_STACK segment on '{0}' is missing, which means the stack will likely be loaded as executable. Ensure you are using an up to date compiler and passing '-z noexecstack' to the compiler." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkStackAsExecutable" + }, + { + "id": "BA3003", + "fullDescription": { + "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected. Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or '--fstack-protector-all' (all functions) to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3003EnableStackProtector", + "help": { + "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected. Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or '--fstack-protector-all' (all functions) to enable this." + }, + "messageStrings": { + "Pass": { + "text": "Stack protector was found on '{0}'. However, if you are not compiling with '--stack-protector-strong', it may provide additional protections." + }, + "Error": { + "text": "The stack protector was not found in '{0}'. This may be because the binary has no stack-based arrays, or because '--stack-protector-strong' was not used." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableStackProtector" + }, + { + "id": "BA3004", + "fullDescription": { + "text": "This check ensures that debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used. Use the compiler flags '-gdwarf-5' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3004GenerateRequiredSymbolFormat", + "help": { + "text": "This check ensures that debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used. Use the compiler flags '-gdwarf-5' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The version of the debugging dwarf format is '{0}' for the file '{1}'" + }, + "Error": { + "text": "'{0}' is using debugging dwarf version '{1}'. The dwarf version 5 contains more information and should be used. To enable the debugging version 5 use '-gdwarf-5'." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "GenerateRequiredSymbolFormat" + }, + { + "id": "BA3005", + "fullDescription": { + "text": "This check ensures that stack clash protection is enabled. Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. Use the compiler flags '-fstack-clash-protection' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3005EnableStackClashProtection", + "help": { + "text": "This check ensures that stack clash protection is enabled. Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. Use the compiler flags '-fstack-clash-protection' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The Stack Clash Protection was present, so '{0}' is protected." + }, + "Error": { + "text": "The Stack Clash Protection is missing from this binary, so the stack from '{0}' can clash/colide with another memory region. Ensure you are compiling with the compiler flags '-fstack-clash-protection' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableStackClashProtection" + }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, + { + "id": "BA3010", + "fullDescription": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3010EnableReadOnlyRelocations", + "help": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The GNU_RELRO segment was present, so '{0}' is protected." + }, + "Error": { + "text": "The GNU_RELRO segment is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,relro' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableReadOnlyRelocations" + }, + { + "id": "BA3011", + "fullDescription": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,now' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow", + "help": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,now' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The BIND_NOW flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The BIND_NOW flag is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,now' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableBindNow" + }, + { + "id": "BA3030", + "fullDescription": { + "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc", + "help": { + "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." + }, + "messageStrings": { + "Pass_AllFunctionsChecked": { + "text": "All functions that can be checked in '{0}' are using the checked versions, so this binary is protected from overflows caused by those function's use." + }, + "Pass_SomeFunctionsChecked": { + "text": "Some checked functions were found in '{0}'; however, there were also some unchecked functions, which can occur when the compiler cannot statically determine the length of a buffer/string. We recommend reviewing your usage of functions like memcpy or strcpy." + }, + "Pass_NoCheckableFunctions": { + "text": "No unsafe functions which can be replaced with checked versions are used in '{0}'." + }, + "Error": { + "text": "No checked functions are present/used when compiling '{0}', and it was compiled with GCC--and it uses functions that can be checked. The Fortify Source flag replaces some unsafe functions with checked versions when a static length can be determined, and can be enabled by passing '-D_FORTIFY_SOURCE=2' when optimization level 2 ('-O2') is enabled. It is possible that the flag was passed, but that the compiler could not statically determine the length of any buffers/strings." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "UseCheckedFunctionsWithGcc" + } + ], + "properties": { + "Comments": "A security and correctness analyzer for portable executable and MSIL formats." + } + } + }, + "invocations": [ + { + "executionSuccessful": true + } + ], + "artifacts": [ + { + "location": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o" + }, + "hashes": { + "md5": "063A86A9AB1919069750EEE569CF1A33", + "sha-1": "48002801F1AD269C6DB7AB24477F4E3CE39E38EE", + "sha-256": "C5FFE046062EECE56CFAD3AFE8F974CB40B9337D4237FF0C509987470DD7C04B" + } + } + ], + "columnKind": "utf16CodeUnits" + } + ] +} \ No newline at end of file diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif index c8f7903d0..fe3bead31 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,7 +620,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -642,10 +642,32 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3011", "ruleIndex": 27, "kind": "pass", "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.nodwarf" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.nodwarf", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 28, + "kind": "pass", + "level": "none", "message": { "id": "Pass_NoCheckableFunctions", "arguments": [ @@ -1348,6 +1370,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif new file mode 100644 index 000000000..54f5738ce --- /dev/null +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif @@ -0,0 +1,1536 @@ +{ + "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", + "version": "2.1.0", + "runs": [ + { + "results": [ + { + "ruleId": "BA2001", + "ruleIndex": 0, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "LoadImageAboveFourGigabyteAddress", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2002", + "ruleIndex": 1, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotIncorporateVulnerableDependencies", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2004", + "ruleIndex": 2, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableSecureSourceCodeHashing", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2005", + "ruleIndex": 3, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotShipVulnerableBinaries", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2006", + "ruleIndex": 4, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "BuildWithSecureTools", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2007", + "ruleIndex": 5, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableCriticalCompilerWarnings", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2008", + "ruleIndex": 6, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableControlFlowGuard", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2009", + "ruleIndex": 7, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableAddressSpaceLayoutRandomization", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2010", + "ruleIndex": 8, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotMarkImportsSectionAsExecutable", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2011", + "ruleIndex": 9, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableStackProtection", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2012", + "ruleIndex": 10, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotModifyStackProtectionCookie", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2013", + "ruleIndex": 11, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "InitializeStackProtection", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2014", + "ruleIndex": 12, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotDisableStackProtectionForFunctions", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2015", + "ruleIndex": 13, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableHighEntropyVirtualAddresses", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2016", + "ruleIndex": 14, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "MarkImageAsNXCompatible", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2018", + "ruleIndex": 15, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableSafeSEH", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2019", + "ruleIndex": 16, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotMarkWritableSectionsAsShared", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2021", + "ruleIndex": 17, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "DoNotMarkWritableSectionsAsExecutable", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2022", + "ruleIndex": 18, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "SignSecurely", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2024", + "ruleIndex": 19, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableSpectreMitigations", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA2025", + "ruleIndex": 20, + "kind": "notApplicable", + "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.helloworld.noexecstack.5.o", + "EnableShadowStack", + "image is not a PE binary" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3001", + "ruleIndex": 21, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass_Executable", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3002", + "ruleIndex": 22, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3003", + "ruleIndex": 23, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3004", + "ruleIndex": 24, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "5", + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3005", + "ruleIndex": 25, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3006", + "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 28, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 29, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass_NoCheckableFunctions", + "arguments": [ + "gcc.helloworld.noexecstack.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o", + "index": 0 + } + } + } + ] + } + ], + "tool": { + "driver": { + "name": "testhost", + "version": "15.0.0.0", + "rules": [ + { + "id": "BA2001", + "fullDescription": { + "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2001LoadImageAboveFourGigabyteAddress", + "help": { + "text": "64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a 64-bit image with a base address that is >= 4 gigabytes, increasing the effectiveness of Address Space Layout Randomization (which helps prevent attackers from executing security-sensitive code in well-known locations)." + }, + "Error": { + "text": "'{0}' is a 64-bit image with a preferred base address below the 4GB boundary. Having a preferred base address below this boundary triggers a compatibility mode in Address Space Layout Randomization (ASLR) on recent versions of Windows that reduces the number of locations to which ASLR may relocate the binary. This reduces the effectiveness of ASLR at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "LoadImageAboveFourGigabyteAddress", + "properties": { + "equivalentBinScopeRuleReadableName": "FourGbCheck" + } + }, + { + "id": "BA2002", + "fullDescription": { + "text": "Binaries should not take dependencies on code with known security vulnerabilities." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2002DoNotIncorporateVulnerableDependencies", + "help": { + "text": "Binaries should not take dependencies on code with known security vulnerabilities." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' does not incorporate any known vulnerable dependencies, as configured by current policy." + }, + "Error": { + "text": "'{0}' was built with a version of {1} which is subject to the following issues: {2}. To resolve this, {3}. The source files that triggered this were: {4}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotIncorporateVulnerableDependencies", + "properties": { + "equivalentBinScopeRuleReadableName": "ATLVersionCheck" + } + }, + { + "id": "BA2004", + "fullDescription": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2004EnableSecureSourceCodeHashing", + "help": { + "text": "Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." + }, + "Warning_NativeWithInsecureStaticLibraryCompilands": { + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "Error_Managed": { + "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." + }, + "Error_NativeWithInsecureDirectCompilands": { + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSecureSourceCodeHashing" + }, + { + "id": "BA2005", + "fullDescription": { + "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2005DoNotShipVulnerableBinaries", + "help": { + "text": "Do not ship obsolete libraries for which there are known security vulnerabilities." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is not known to be an obsolete binary that is vulnerable to one or more security problems." + }, + "Error": { + "text": "'{0}' appears to be an obsolete library (version {1}) for which there are known security vulnerabilities. To resolve this issue, obtain a version of {0} that is newer than version {2}. If this binary is not in fact {0}, ignore this warning." + }, + "Error_CouldNotParseVersion": { + "text": "Version information for '{0}' could not be parsed. The binary therefore could not be verified not to be an obsolete binary that is known to be vulnerable to one or more security problems." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotShipVulnerableBinaries", + "properties": { + "equivalentBinScopeRuleReadableName": "BinaryVersionsCheck" + } + }, + { + "id": "BA2006", + "fullDescription": { + "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2006BuildWithSecureTools", + "help": { + "text": "Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks." + }, + "messageStrings": { + "Error": { + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + }, + "Error_BadModule": { + "text": "built with {0} compiler version {1} (Front end version {2})" + }, + "Pass": { + "text": "All linked modules of '{0}' satisfy configured policy (observed compilers: {1})." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "BuildWithSecureTools", + "properties": { + "equivalentBinScopeRuleReadableName": "CompilerVersionCheck" + } + }, + { + "id": "BA2007", + "fullDescription": { + "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2007EnableCriticalCompilerWarnings", + "help": { + "text": "Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." + }, + "Error_WarningsDisabled": { + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + }, + "Error_InsufficientWarningLevel": { + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + }, + "Error_UnknownModuleLanguage": { + "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableCriticalCompilerWarnings", + "properties": { + "equivalentBinScopeRuleReadableName": "CompilerWarningsCheck" + } + }, + { + "id": "BA2008", + "fullDescription": { + "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2008EnableControlFlowGuard", + "help": { + "text": "Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' enables the control flow guard mitigation. As a result, the operating system will force an application to close if an attacker is able to redirect execution in the component to an unexpected location." + }, + "Error": { + "text": "'{0}' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + }, + "NotApplicable_UnsupportedKernelModeVersion": { + "text": "'{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries." + } + }, + "name": "EnableControlFlowGuard", + "properties": { + "equivalentBinScopeRuleReadableName": "ControlFlowGuardCheck" + } + }, + { + "id": "BA2009", + "fullDescription": { + "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2009EnableAddressSpaceLayoutRandomization", + "help": { + "text": "Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is properly compiled to enable Address Space Layout Randomization, reducing an attacker's ability to exploit code in well-known locations." + }, + "Error_NotDynamicBase": { + "text": "'{0}' is not marked as DYNAMICBASE. This means that the binary is not eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. To resolve this issue, configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later." + }, + "Error_RelocsStripped": { + "text": "'{0}' is marked as DYNAMICBASE but relocation data has been stripped from the image, preventing address space layout randomization. " + }, + "Error_WinCENoRelocationSection": { + "text": "'{0}' is a Windows CE image but does not contain any relocation data, preventing Address Space Layout Randomization." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableAddressSpaceLayoutRandomization", + "properties": { + "equivalentBinScopeRuleReadableName": "DBCheck" + } + }, + { + "id": "BA2010", + "fullDescription": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2010DoNotMarkImportsSectionAsExecutable", + "help": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' does not have an imports section that is marked as executable, helping to prevent the exploitation of code vulnerabilities." + }, + "Error": { + "text": "'{0}' has the imports section marked executable. Because the loader will always mark the imports section as writable, it is important to mark this section as non-executable, so that an attacker cannot place shellcode here. To resolve this issue, ensure that your program does not mark the imports section as executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the \".rdata\" segment into an executable section." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkImportsSectionAsExecutable", + "properties": { + "equivalentBinScopeRuleReadableName": "ExecutableImportsCheck" + } + }, + { + "id": "BA2011", + "fullDescription": { + "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2011EnableStackProtection", + "help": { + "text": "Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature enabled for all modules, making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. " + }, + "Error": { + "text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature disabled in one or more modules. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that your code is compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. The affected modules were: {1}" + }, + "Error_UnknownModuleLanguage": { + "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the stack protector buffer security features. The language could not be identified for the following modules: {1}." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableStackProtection", + "properties": { + "equivalentBinScopeRuleReadableName": "GSCheck" + } + }, + { + "id": "BA2012", + "fullDescription": { + "text": "Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2012DoNotModifyStackProtectionCookie", + "help": { + "text": "Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the buffer security feature that properly preserves the stack protecter cookie. This has the effect of enabling a significant increase in entropy provided by the operating system over that produced by the C runtime start-up code." + }, + "Pass_NoLoadConfig": { + "text": "'{0}' is C or C++binary that does not contain a load config table, which indicates either that it was compiled and linked with a version of the compiler that precedes stack protection features or is a binary (such as an ngen'ed assembly) that is not subject to relevant security issues." + }, + "Error": { + "text": "'{0}' is a C or C++ binary that interferes with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the \"security cookie\", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the magic statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. NOTE: the modified cookie value detected was: {1}" + }, + "Error_CouldNotLocateCookie": { + "text": "'{0}' is a C or C++binary that enables the stack protection feature but the security cookie could not be located. The binary may be corrupted." + }, + "Warning_InvalidSecurityCookieOffset": { + "text": "'{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotModifyStackProtectionCookie", + "properties": { + "equivalentBinScopeRuleReadableName": "DefaultGSCookieCheck" + } + }, + { + "id": "BA2013", + "fullDescription": { + "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2013InitializeStackProtection", + "help": { + "text": "Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the buffer security feature that properly initializes the stack protecter. This has the effect of increasing the effectiveness of the feature and reducing spurious detections." + }, + "Pass_NoCode": { + "text": "'{0}' is a C or C++ binary that is not required to initialize the stack protection, as it does not contain executable code." + }, + "NotApplicable_FeatureNotEnabled": { + "text": "'{0}' is a C or C++ binary that does not enable the stack protection buffer security feature. It is therefore not required to initialize the stack protector." + }, + "Error": { + "text": "'{0}' is a C or C++ binary that does not initialize the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "InitializeStackProtection", + "properties": { + "equivalentBinScopeRuleReadableName": "GSFriendlyInitCheck" + } + }, + { + "id": "BA2014", + "fullDescription": { + "text": "Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2014DoNotDisableStackProtectionForFunctions", + "help": { + "text": "Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is a C or C++ binary built with the stack protector buffer security feature enabled which does not disable protection for any individual functions (via __declspec(safebuffers), making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities." + }, + "Error": { + "text": "'{0}' is a C or C++ binary built with function(s) ({1}) that disable the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, is disallowed by SDL policy. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotDisableStackProtectionForFunctions", + "properties": { + "equivalentBinScopeRuleReadableName": "GSFunctionSafeBuffersCheck" + } + }, + { + "id": "BA2015", + "fullDescription": { + "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible. High entropy allows ASLR to be more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tool chain to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. Binaries must also be compiled as /LARGEADDRESSAWARE in order to enable high entropy ASLR." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2015EnableHighEntropyVirtualAddresses", + "help": { + "text": "Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible. High entropy allows ASLR to be more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tool chain to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. Binaries must also be compiled as /LARGEADDRESSAWARE in order to enable high entropy ASLR." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is high entropy ASLR compatible, reducing an attacker's ability to exploit code in well-known locations." + }, + "Error_NoHighEntropyVA": { + "text": "'{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. (This image was determined to have been properly compiled as /LARGEADDRESSAWARE.)" + }, + "Error_NoLargeAddressAware": { + "text": "'{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible by supplying /LARGEADDRESSAWARE to the C or C++ linker command line. (This image was determined to have been properly compiled as /HIGHENTROPYVA.)" + }, + "Error_NeitherHighEntropyVANorLargeAddressAware": { + "text": "'{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA as well as /LARGEADDRESSAWARE to the C or C++ linker command line." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableHighEntropyVirtualAddresses", + "properties": { + "equivalentBinScopeRuleReadableName": "HighEntropyVACheck" + } + }, + { + "id": "BA2016", + "fullDescription": { + "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code. The NXCompat bit, also known as \"Data Execution Prevention\" (DEP) or \"Execute Disable\" (XD), triggers a processor security feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit (because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment). Ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2016MarkImageAsNXCompatible", + "help": { + "text": "Binaries should be marked as NX compatible to help prevent execution of untrusted data as code. The NXCompat bit, also known as \"Data Execution Prevention\" (DEP) or \"Execute Disable\" (XD), triggers a processor security feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit (because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment). Ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is marked as NX compatible, helping to prevent attackers from executing code that is injected into data segments." + }, + "Error": { + "text": "'{0}' is not marked NX compatible. The NXCompat bit, also known as \"Data Execution Prevention\" (DEP) or \"Execute Disable\" (XD), is a processor feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit, because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment. To resolve this issue, ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "MarkImageAsNXCompatible", + "properties": { + "equivalentBinScopeRuleReadableName": "NXCheck" + } + }, + { + "id": "BA2018", + "fullDescription": { + "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues. SafeSEH makes it more difficult to exploit vulnerabilities that permit overwriting SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2018EnableSafeSEH", + "help": { + "text": "X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues. SafeSEH makes it more difficult to exploit vulnerabilities that permit overwriting SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' is an x86 binary that enables SafeSEH, a mitigation that verifies SEH exception jump targets are defined as exception handlers in the program (and not shellcode)." + }, + "Pass_NoSEH": { + "text": "'{0}' is an x86 binary that does not use SEH, making it an invalid target for exploits that attempt to replace SEH jump targets with attacker-controlled shellcode." + }, + "Error": { + "text": "'{0}' is an x86 binary which {1}, indicating that it does not enable the SafeSEH mitigation. SafeSEH makes it more difficult to exploit memory corruption vulnerabilities that can overwrite SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSafeSEH", + "properties": { + "equivalentBinScopeRuleReadableName": "SafeSEHCheck" + } + }, + { + "id": "BA2019", + "fullDescription": { + "text": "Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2019DoNotMarkWritableSectionsAsShared", + "help": { + "text": "Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' contains no data or code sections marked as both shared and writable, helping to prevent the exploitation of code vulnerabilities." + }, + "Error": { + "text": "'{0}' contains one or more code or data sections ({1}) which are marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.)." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkWritableSectionsAsShared", + "properties": { + "equivalentBinScopeRuleReadableName": "SharedSectionCheck" + } + }, + { + "id": "BA2021", + "fullDescription": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2021DoNotMarkWritableSectionsAsExecutable", + "help": { + "text": "PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' contains no data or code sections marked as both shared and executable, helping to prevent the exploitation of code vulnerabilities." + }, + "Error": { + "text": "'{0}' contains PE section(s) ({1}) that are both writable and executable. Writable and executable memory segments make it easier for an attacker to exploit memory corruption vulnerabilities, because it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Enabling incremental linking via the /INCREMENTAL argument (the default for Microsoft Visual Studio debug build) can also result in a writable and executable section named 'textbss'. For this case, disable incremental linking (or analyze an alternate build configuration that disables this feature) to resolve the problem." + }, + "Error_UnexpectedSectionAligment": { + "text": "'{0}' has a section alignment ({1}) that is smaller than its page size ({2})." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkWritableSectionsAsExecutable", + "properties": { + "equivalentBinScopeRuleReadableName": "WXCheck" + } + }, + { + "id": "BA2022", + "fullDescription": { + "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms. This rule invokes WinTrustVerify to validate that binary hash, signing and public key algorithms are secure and, where configurable, that key sizes meet acceptable size thresholds." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2022SignSecurely", + "help": { + "text": "Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms. This rule invokes WinTrustVerify to validate that binary hash, signing and public key algorithms are secure and, where configurable, that key sizes meet acceptable size thresholds." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' appears to be signed with secure cryptographic algorithms. WinTrustVerify successfully validated the binary but did not attempt to validate certificate chaining or that the root certificate is trusted. The following digitial signature algorithms were detected: {1}" + }, + "Error_BadSigningAlgorithm": { + "text": "'{0}' was signed exclusively with algorithms that WinTrustVerify has flagged as insecure. {1}" + }, + "Error_DidNotVerify": { + "text": "'{0}' signing was flagged as insecure by WinTrustVerify with error code '{1}' ({2})" + }, + "Error_WinTrustVerifyApiError": { + "text": "'{0}' signing could not be completely verified because '{1}' failed with error code: '{2}'." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "SignSecurely" + }, + { + "id": "BA2024", + "fullDescription": { + "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2024EnableSpectreMitigations", + "help": { + "text": "Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it." + }, + "messageStrings": { + "Warning": { + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + }, + "Warning_OptimizationsDisabled": { + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + }, + "Warning_SpectreMitigationNotEnabled": { + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + }, + "Warning_SpectreMitigationExplicitlyDisabled": { + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + }, + "Pass": { + "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableSpectreMitigations" + }, + { + "id": "BA2025", + "fullDescription": { + "text": "Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2025EnableShadowStack", + "help": { + "text": "Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation." + }, + "Warning": { + "text": "'{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableShadowStack" + }, + { + "id": "BA3001", + "fullDescription": { + "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3001EnablePositionIndependentExecutable", + "help": { + "text": "A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc." + }, + "messageStrings": { + "Pass_Executable": { + "text": "PIE enabled on executable '{0}'." + }, + "Pass_Library": { + "text": "'{0}' is a shared object library rather than an executable, and is automatically position independent." + }, + "Error": { + "text": "PIE disabled on executable '{0}'. This means the code section will always be loaded to the same address, even if ASLR is enabled in the Linux kernel. To address this, ensure you are compiling with '-fpie' when using clang/gcc." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnablePositionIndependentExecutable" + }, + { + "id": "BA3002", + "fullDescription": { + "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3002DoNotMarkStackAsExecutable", + "help": { + "text": "This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable." + }, + "messageStrings": { + "Pass": { + "text": "GNU_STACK segment marked as non-executable on '{0}'." + }, + "Error_StackExec": { + "text": "Stack on '{0}' is executable, which means that an attacker could use it as a place to store attack shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable." + }, + "Error_NoStackSeg": { + "text": "GNU_STACK segment on '{0}' is missing, which means the stack will likely be loaded as executable. Ensure you are using an up to date compiler and passing '-z noexecstack' to the compiler." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "DoNotMarkStackAsExecutable" + }, + { + "id": "BA3003", + "fullDescription": { + "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected. Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or '--fstack-protector-all' (all functions) to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3003EnableStackProtector", + "help": { + "text": "The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected. Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or '--fstack-protector-all' (all functions) to enable this." + }, + "messageStrings": { + "Pass": { + "text": "Stack protector was found on '{0}'. However, if you are not compiling with '--stack-protector-strong', it may provide additional protections." + }, + "Error": { + "text": "The stack protector was not found in '{0}'. This may be because the binary has no stack-based arrays, or because '--stack-protector-strong' was not used." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableStackProtector" + }, + { + "id": "BA3004", + "fullDescription": { + "text": "This check ensures that debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used. Use the compiler flags '-gdwarf-5' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3004GenerateRequiredSymbolFormat", + "help": { + "text": "This check ensures that debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used. Use the compiler flags '-gdwarf-5' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The version of the debugging dwarf format is '{0}' for the file '{1}'" + }, + "Error": { + "text": "'{0}' is using debugging dwarf version '{1}'. The dwarf version 5 contains more information and should be used. To enable the debugging version 5 use '-gdwarf-5'." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "GenerateRequiredSymbolFormat" + }, + { + "id": "BA3005", + "fullDescription": { + "text": "This check ensures that stack clash protection is enabled. Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. Use the compiler flags '-fstack-clash-protection' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3005EnableStackClashProtection", + "help": { + "text": "This check ensures that stack clash protection is enabled. Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. Use the compiler flags '-fstack-clash-protection' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The Stack Clash Protection was present, so '{0}' is protected." + }, + "Error": { + "text": "The Stack Clash Protection is missing from this binary, so the stack from '{0}' can clash/colide with another memory region. Ensure you are compiling with the compiler flags '-fstack-clash-protection' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableStackClashProtection" + }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, + { + "id": "BA3010", + "fullDescription": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3010EnableReadOnlyRelocations", + "help": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The GNU_RELRO segment was present, so '{0}' is protected." + }, + "Error": { + "text": "The GNU_RELRO segment is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,relro' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableReadOnlyRelocations" + }, + { + "id": "BA3011", + "fullDescription": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,now' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow", + "help": { + "text": "This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,now' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The BIND_NOW flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The BIND_NOW flag is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,now' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableBindNow" + }, + { + "id": "BA3030", + "fullDescription": { + "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc", + "help": { + "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." + }, + "messageStrings": { + "Pass_AllFunctionsChecked": { + "text": "All functions that can be checked in '{0}' are using the checked versions, so this binary is protected from overflows caused by those function's use." + }, + "Pass_SomeFunctionsChecked": { + "text": "Some checked functions were found in '{0}'; however, there were also some unchecked functions, which can occur when the compiler cannot statically determine the length of a buffer/string. We recommend reviewing your usage of functions like memcpy or strcpy." + }, + "Pass_NoCheckableFunctions": { + "text": "No unsafe functions which can be replaced with checked versions are used in '{0}'." + }, + "Error": { + "text": "No checked functions are present/used when compiling '{0}', and it was compiled with GCC--and it uses functions that can be checked. The Fortify Source flag replaces some unsafe functions with checked versions when a static length can be determined, and can be enabled by passing '-D_FORTIFY_SOURCE=2' when optimization level 2 ('-O2') is enabled. It is possible that the flag was passed, but that the compiler could not statically determine the length of any buffers/strings." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "UseCheckedFunctionsWithGcc" + } + ], + "properties": { + "Comments": "A security and correctness analyzer for portable executable and MSIL formats." + } + } + }, + "invocations": [ + { + "executionSuccessful": true + } + ], + "artifacts": [ + { + "location": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o" + }, + "hashes": { + "md5": "4B07DB79D59C11F5D5AC96290A332E51", + "sha-1": "905783E72E59967036593659DB816A595C6E194D", + "sha-256": "C6A5E05BADA74E0EA76D4CEA6F89B7EF6418E032E5B60F963FF28009A1ED7108" + } + } + ], + "columnKind": "utf16CodeUnits" + } + ] +} \ No newline at end of file diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif index 876d87e5f..c8b6d8f63 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,7 +620,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -642,8 +642,30 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3011", "ruleIndex": 27, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.immediate_binding" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.immediate_binding", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1347,6 +1369,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif index 6129642a5..8b6d1c4ea 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif @@ -597,7 +597,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -619,8 +619,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.no_fortification_required" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.no_fortification_required", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -641,7 +663,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "pass", "level": "none", "message": { @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif index 8b4e5be1f..221e70a11 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.no_immediate_binding" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.no_immediate_binding", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif index b081a9b24..3835ba4b2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif @@ -597,7 +597,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -619,8 +619,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.no_stack_protector" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.no_stack_protector", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -641,7 +663,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1345,6 +1367,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif index 5a3814ac3..9b505ff54 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.noexecstack" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.noexecstack", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif index 85bc654e2..07bf3ff49 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif @@ -599,7 +599,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -621,8 +621,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.noexecstack.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.noexecstack.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -643,7 +665,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1347,6 +1369,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif index e06524e31..8b417031d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.non_pie_executable" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.non_pie_executable", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif index 0833eb1a9..832904953 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif @@ -605,10 +605,34 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "notApplicable", "level": "none", + "message": { + "id": "NotApplicable_InvalidMetadata", + "arguments": [ + "gcc.object_file.o", + "EnableNonExecutableStack", + "ELF does not contain the segment to be analyzed" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.object_file.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 26, + "kind": "notApplicable", + "level": "none", "message": { "id": "NotApplicable_InvalidMetadata", "arguments": [ @@ -630,7 +654,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 26, + "ruleIndex": 27, "kind": "notApplicable", "level": "none", "message": { @@ -654,7 +678,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "kind": "notApplicable", "level": "none", "message": { @@ -1361,6 +1385,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif index f005d561d..9dbce806a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif @@ -599,7 +599,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -621,8 +621,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.pie_executable" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.pie_executable", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -643,7 +665,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1347,6 +1369,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif index bca9bfeba..511e841b5 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.relocationsro" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.relocationsro", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif index 981a94409..2d35041d9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif @@ -598,8 +598,30 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.relocationsrw" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.relocationsrw", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3010", + "ruleIndex": 26, "level": "error", "message": { "id": "Error", @@ -620,7 +642,7 @@ }, { "ruleId": "BA3011", - "ruleIndex": 26, + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -641,7 +663,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1345,6 +1367,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif index 57b5ec774..67f585624 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif @@ -618,7 +618,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -640,7 +640,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, "kind": "pass", "level": "none", @@ -662,10 +662,32 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3011", "ruleIndex": 28, "kind": "pass", "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.requiredsymbol.4.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.requiredsymbol.4.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 29, + "kind": "pass", + "level": "none", "message": { "id": "Pass_NoCheckableFunctions", "arguments": [ @@ -1390,6 +1412,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif index f2689338c..2d53afcf2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif @@ -619,7 +619,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 26, "kind": "pass", "level": "none", @@ -641,7 +641,7 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 27, "kind": "pass", "level": "none", @@ -663,10 +663,32 @@ ] }, { - "ruleId": "BA3030", + "ruleId": "BA3011", "ruleIndex": 28, "kind": "pass", "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.requiredsymbol.5.o" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.requiredsymbol.5.o", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3030", + "ruleIndex": 29, + "kind": "pass", + "level": "none", "message": { "id": "Pass_NoCheckableFunctions", "arguments": [ @@ -1391,6 +1413,28 @@ }, "name": "EnableStackClashProtection" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif index 3fa4534e5..209bf7a18 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif @@ -599,7 +599,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -621,8 +621,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.shared_library.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.shared_library.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -643,7 +665,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1347,6 +1369,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif index 262ed91a8..725fc20e5 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.stack_protector" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.stack_protector", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif index f7582bd05..9b7062411 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif @@ -599,7 +599,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -621,8 +621,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.stack_protector.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.stack_protector.so", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -643,7 +665,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1347,6 +1369,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif index 8c444a0a4..a9f0752e0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif @@ -598,7 +598,7 @@ ] }, { - "ruleId": "BA3010", + "ruleId": "BA3006", "ruleIndex": 25, "kind": "pass", "level": "none", @@ -620,8 +620,30 @@ ] }, { - "ruleId": "BA3011", + "ruleId": "BA3010", "ruleIndex": 26, + "kind": "pass", + "level": "none", + "message": { + "id": "Pass", + "arguments": [ + "gcc.unfortified" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.unfortified", + "index": 0 + } + } + } + ] + }, + { + "ruleId": "BA3011", + "ruleIndex": 27, "level": "error", "message": { "id": "Error", @@ -642,7 +664,7 @@ }, { "ruleId": "BA3030", - "ruleIndex": 27, + "ruleIndex": 28, "level": "error", "message": { "id": "Error", @@ -1346,6 +1368,28 @@ }, "name": "EnableStackProtector" }, + { + "id": "BA3006", + "fullDescription": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3006EnableNonExecutableStack", + "help": { + "text": "This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this." + }, + "messageStrings": { + "Pass": { + "text": "The enable non-executable stack flag was present, so '{0}' is protected." + }, + "Error": { + "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "name": "EnableNonExecutableStack" + }, { "id": "BA3010", "fullDescription": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.execstack.5.o new file mode 100644 index 0000000000000000000000000000000000000000..769c3917f5057d4aa1b2bdc6d01e13d3da514f96 GIT binary patch literal 17656 zcmeHOYit}>6~5!O<4v5bUomkWG?O$HNz+|Fnz)V|C%b-SO`QjcO;eF{y51ez8}?y# zXB#^TC18kZwWdKTf*&AIE8hJCy}Nd*;Ap~4{2x`9-N(k$oPIcGgH z-c2a*2WhUnbME=>`Odv_=FZH$o_jyhJJ46AD1wtm>=CFPsxgru6}0cB42Ym;7pvfS zr`Rl(fnF{#vpi@DC^gfSGQ0E=?g5FsM$8nE8%$WRjLW+)6x_RvyM?-f!~eJMB`XxNIfKJXDb<0;WA&4l|LQrTSQMJTWHt zYo~ZRrD}Q+ES-!M!Dox72b>z!@ znCdHa9cn24EGfLADG?uT+tHMW`4jO}Zo)s&-sW%H5y++kt+IY>7uJD&YTtn&0d8gy zqcF;Av6^%&@5rWKSrPcv(No5&XTP;QI^Cju`*Z9A>qHw&$mcGBI_9wsw2}Qnd=hfh zmqA|Ef1Z>;i9*C8Xy7y4q`TpelqPf;ASfKls@p*FK4VvYQvwmf- ziQ~1x`Z!&+;M^uGo3r5DcMzYq;Cv4tzF@(zU%1JQfExif0&WD{2)Ge&Bj85Bjlg?} zz+bEH_(yo^FW&GI6|Xc25&q1qQI`Kjc6b%8{nIx>gQ4kv4uxm@PXl~pVB5PG z0ZUo#2l!$-=-@ugh zp8N4TA%3&kFrUvSK;8rLX^^`?J_m9DBz_y*{Z>Bz0?6k;u7p`Ve&fWXoH{I&i5g}7 z%1ZA!!tvYv{G0haPPRo)rTlWX1+qKf_f5bh;H&BLHGZ(V>ZJFK*t@Rd?t8b$&xz>w z82rw$9po_~Zouzxz^&hdVTv!Fgx@%{QwJ&fd^Jy%_4^t>>*@8WGv&R$txs0;_?piy z3;WuqD);$Zak6BZvQiR(=J`#d2xU&6o)L!@!EOm|_OdF;CGL`?GbZ!^9|KAB- zAO2r@&6FCprQ3&rEboFdB0E8;2mmw-~M z+~upU^7z*KhSt<7HEUpbZ$R0**5m7_y1!~yReyc0Qdb#lJhfJ-2M;@h$IAs9pjVY| z5mi-tsyx`fC{`i5(Y^AHZxtNn4hd+r(lnM%>P?C4c++?$eL{~K*`_f)kw~9RXA&_X z7W0AV__$mFT%m~NWqca-73B|9D9h^0Jm3`8e5>8tx3}ytBdYq7MlPjyj_N5r6OV!# z$wbFG&6Ve>e-!>=CnK2=|4!9^uvPVsM6#2q=vXG5O6RivT{;UCp;DZXHiAZ*gi{t4O6hucXy13aJEM6D<< zir0x?QM_L8d%^0>1OK(-_kkUUr+1O(mq)y>@cg#h!#y3eB4*wLZ-bhmIKQpz9FO3) zloRK-nG@%?m=k}$9U#pk_$^{D_K1yk05p6OmW#LY&H}uw#c*t4ned4-j_ZysLHxT8 zyqR!*--9Ys9~|NCD#Q)jfeCk^C`GQsLj0N40C-*5())A|;%sD*$H|ZLzBmE6YO&+&B;d7WYXraV z89$3SK75Eo!x!;+!0~*8biO(f&V#Ih{?iyFfJBt+4^cmCBK&KBqrLM!eV+Z3J--pY z4>-2dY5xTax`OPjT|hfi;BfvMw*e-qPWi}3ww-WX>Bx-9*!im z7`!*LS|m3iqUq##LO1kSpuM@RxwsMTaEfb@OeQj^=_w;KDMm7pq^`ws$>bzZESd(E zhRsyd`VNQo_iDWddNkPCWH*Qjt>>Wwq5b{c_7b^;3LqFqXuVSO(QHmO_10Uh^jO4*FlBMCRxoJWtfirqxgiT|?YpzIST?PV zMN%=`xz&FVtYYz$mdomJI*TpANPs?^&5|2ASkN@s_{G7%9brYcdD%CX*_$Q;*~ugf zhCmt_Q;u;ChKqV;Tm(`uHVTZUase16jq4d>(gF?V;;{EG9wR8!)el3fQ6bI8VCWw;U@-$3j4AVZJk4^J47q;i`F{b*@tn9EUwtx>bdCg_ z*AM5eR=!F+mh6taI^BzB9DE+fv%DSuI}U!32rP4s3+D9qyo1m40+#%LA8x<%{C`0F z!k9!QOOj4|)>;0T_;U2UW9#o1IBaXSK}S-O5a9%3F}$FGA8nlPXL z-!)4Et{{|I6Z2UvK%tc{f@IxnO0I{{CFgS!3eXqV&*QWj;&VOBr_*6ocmP0*%nLa4 z?=B!_hWRXU?Fr|trXA$a>DOtC<8>#7eohea5vx<#u%r0<4sl=heT%|bwN{2}}<{&s!@h>cfqX7T_ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/gcc.helloworld.noexecstack.5.o new file mode 100644 index 0000000000000000000000000000000000000000..47d29c3f3772e5d676bde5a44a84c89b72c35db3 GIT binary patch literal 17656 zcmeHOYit}>6~5#3#+y1>zhdG%XeMbYoTj^e)N!3OPImpunmP{>o1`M?WW76HZ`g;~ zoo(VMlu$!et2ND!qVfX-YQ;mMLi7iZKM04E5LJQ_36&r~M1`mZk=6~QGL&XH=gv9n zo$+p>0)LR^$~)(t@1F16J7@09-0QjbGyOvY6^bG_xx_Ak+JRaV2~a`TPRf7?h%T`b zj`xU7Vj1X_5;MyKrhrm2U8%5258*D5$ZNt(3Ax^c1xs!rO5~MGm)vFvOF`#>JXu6K z<1Bwl6|iKyP@hUQ+GI2FSQhgzHuFA{H{WfQD#fLlB=b;3p75LYa5>CGa+d02$??RP z;IE6~X_u<$MX%esAni2g^>N`NZN>#cMcFEn0CD->c;K{g{v^yU8 zG9RS+%3X(Aia$#VuV_icM>{)O5>a0wp30r_o$BiJb$0l(X@9${8{36-V4vEvZ$yBb zS;Q!e@>;AS9m}tMr>_07{`}$G&yK%2Q+596x!HZq>;vmW8%)UOE`d7cu@1B`&;PTK zqrMFCvi^&t1j-z`09Q+ttp%*U1U?LyS^|%h!K(q^RKi|B{2~~xPN8X$Q(yd5j->(-#29kF$gPbp$LQWqZRh)w?~B$tvtWVlTgK}&V2{*`68U}0mK)IaO@XOaw6bFz=?np0Ve`Z1e^#s5pW{# zK_c+Cn!EoQn)<6J^tAgoEkcAoKWkLve;Jy3#dATr$!~iB;2ZgSUj$LJL7+WoKayIX zkb2wfg|V6qpOf}j-gbR(`tqZp={G`Cf0{oqJT&7TfT3_`X60*O5}N70l!w$f3NHSB z4%BJLgl61NpxC}(G(uB$VIG>YJb$%j!&!8Efh5>JBJH;wM6u;oXnH<${;l1i^9!z! zaxrxImaz&PG?D{P{wg#L+R1!u-`Q>~7P+k>p{ed0IMEJGUo%#Op6-4Zl({v~y16JE zF1oLSt{eldh5zT1P)O}Tf5F2;Gus$}vcS8JTwSGRIPk_81zsxbvNS{uPiffm{Kzdi=(TNjZH`D5q+b zbt|eo=LpAd_w#S(^ElZSeO2|PrmFUM11WD;(AygHHured9&b~Rx33Y@1@te0ALsiT2GU7R1e^#s5pW{l zM8JuF69FdzP6V6?{J%zk*ERAwMqZ=Has{6lt#e#S`VVP6z2rL5c^xFKE5*d? zCUFjkiOX-^%BNBP8ZCC@Io6R%M0t&?5SOU@E)y1?CW-4!F*TV&G?HXNG%-u-BzcbL zp^CU2vqXSJpfa()yGdue_wr_YAwCjHui(>Ya92L;R+cqXxWFl_`Br=E`%`7lXg($#7=Ow@vl!Z&!U|;p}88GM-7N(z&cJmpU0wMSTXYl+HpStgnuI z(g%$+ppof}FKd7y_@IJFBAgxP;&?g*1(C5LUEKCWi_Te|=WUIJT;vTghs$qvl`0NL zxxNCnkRV2d{UIh|9$oN1E8gE=#a)8;FIe$Pai+u#=z<3EbI5AHtnmD?;#Gp5Q&!v~ z_+YrF2)62!l2 z!&?dG_dTdG4ZsoZu0q_f9hh(zic;cwodF#E^Y{U6F+Bx8MJ&DU<=X#EXp{pTX!3cmeq{pU5ZxA((0B)+si-;{oq_P4J>Kq|!2`>`7EdW|{3a#&veZjqhz19-Bg$f`TM`-;a@(}7fD6~C8`+I^z z+WvuoL;b_raIj~nAHB+rSCMQ^Hud&ft@LQv2s34IuT~&n*{r3ZmAN4cY^}Sqv}iW1 zjfYcF+_^QlAFQJBl$Oita5{@E!AO8Un$40MIats%*!ac4z#U;Fw|QANmRXx7{MpGQ z42D1&8B>mP4u*?*W1sxYOIF-soPGg%l+SriS*GI}D61mTzG>z_y%0uTOJ8Zw4{3Xa%)z%nfZ@7Kqv z!;D9P&zi|MdydKAJU9<0;}K{MUN=9)Q~06RCZQ(+rjO=gU>Q!upo^0lPmQHHA08de z=#Q}mJ05k;L(DjvNyQSdDKA^kK92`k zs>Q~THwT`JU?*gY`A4XJmYWw%WsaYR3=i7)JicV9vLQ)3|1jY1!rYMC&*M;*Tt9x3 z#bj@P7%-d*GoRTCs@ot24l*69#6BJB}1;?e*VuxIi3@j$2ynrSD--p|8KmQ*P zzc40I$&#eqo^_T#CO%(3o@cP!N$yxMkM*D1_yN@{VL8W!B>DO?{A~ z#O?O1v-~4)Yl`?hzgh4B2#M`XZBb|ZZ79IL$MqM+vA7)p(kxv+9uF~(uj4ns22GgH z|L>Zm0apOZiWBo$E<;`O@$Kh%hWOXZ@cBH3%G4ikH;Jpu@EJxweD5-b@+|R>(}Q&*U@6`#GeYo|`mUkP=ZwBFK!9D>(p$9B$%lI;2OEL{?lIBgJ3Hs`ywea(I8 zZm-ypC_yf$E(!QAn!hShh%gd}s1hiDwF!w5{wbsq0wk!YszwA_f(rzdkK}l7X5QW2 z`qET<{lkv5`{w=T{oc&Hot>S%+xh%RWYni9jFOM-W~gaR28YC%v6UTMl~|B9FoU(T zhuM9A)WBiz5|koGa@HpbNY+a`6(sVOW%;tt01b5m1>4NeWl1eWiM(<$WL8QlB-td2 zkyndZsWaI>l4oTFB+0H+pN3>en!yFh6`?VbP9DZ)LKg-TyA7Tp`3qU!n^F=F!-2eG zl6Oqu}uwi~KOSHu_aovt%zD7e0rBNY!xyBet;(ZEu zb+YWk2nzcFS>N5_a!&S-B!#CdnV9PD?MlWwlZkX;u5&Kf-`U@*=QDZ_@ArCW1dge( zeTUeqFCO2RkG=5P+1Eb#(m>xE%X?xkAIElM8_*xxU_yHtE{KsZ3gyn&3&aRDl*^8!4WJ z2NP?s>>*j#${vH~a11&7^1cJ7K1+%xya;#^@FL(vz>9zv0WShx1iT1%5%@oez@Hi) z{#$tA-TLsCYk%9tSon(rQ9KU*Dso7xR zs~0sct~P-vZg>gke_lfSOVfH|`?H+BbiTs?(_MJBThAkgRjhdxf#RFfOP8k0#*OU; zdxhJ7;U*W0E8&Yb_k=ILuZEQ?;n(lj%_R?Y(u13i^`G3e7uv!Kt%t&k*KeFC7K>ME zcLJguxwNW2w14OMavQoYI9lJ>&agc6MCA0YM>`n{JwCqpv(TaO#ap4t(BeN1g->^` z2l!xQ%WaI|jqlwl7Q+{Bt9E<$FB{uWVs9ghe~c{N9A5lQsJQ;u;e|^|c;Jn~?=Zff zITCs@bR={%WIFr6;|DyH{JNB`1bXw57XdEAV55utp_2B=oln{Foj^_Zk5FGV4 zebqPaZ~KZm;@3{sjQBfF)eiduU%D^s4=&V=`Hi$c81e@~{*FPvHt25~^fwLq>v=oA z3G{Q|hw4OkUh*Q~MZk-I7XdE6n{SX=spEICm^!3> zzff6FO8lM|Q=1TMgOnubo9AniPxa#aEhhLFmnY)GKf=5{=cGOS8O?P?+QI87*Oz6v zg#TxPzAL|1g=0fQJG72NQ-!o$&<6BvdZ4p=dx5Ln&-4WJK<^d-Gieh`M$j)Tg>X)7K;X>o!!q^b6NBzO}1_8>Fd@9 zdf6nju7o|ya=$OOkkn%EzGN!XEon|Q*8}Xnw5|F zTWeK+(*v9Q%}NUl4xbKS%Y8=M3xgX~|Bi;84dbnQU{I>PZ1Xw-z{6uq_3v(Iz~K@? zkL=@cRutv${&gs@nQ$m<)=DNbpUvcwaXpsJ0t#u3k6PJUtK7fdrvl@@5Vfw^Ov>s? z=CfVdT;?e&X6L)gt#M>|!#>cM@vqYpX`3ZP4?g$|{VDC^a9XPHThnEq;e>czg-ds% zDqh3t)oS*&rTf?EOog2jbe~t^b*$R`rNXR1_hqI18b zG_N_#p|>#WX@(Qxd6oG~`!Ae@Dr;oHs`gEc=E+L?W=8X4CEmiS-R~-EWwdXg(jI=L zgYR_QNrhRltt$QzhTrYDlgb`&LtIx&vutIt%IGQJ#%cC<D^W8_ETUFZzb z*8xXA?l^o`+S3z-eoKEDaBRQZegW-$Rpzl+&d%Ef_!=+9;#SU@N#t!SXWA(b9_Ho#S>|>khh@8<=U__%#0_^oR!SPqPB(J>_p7W zCV*y6<@3@#e;k|U_bkRhWTcFrA@%bZRPR zJxv6GpNBJlm_zppQS`X2_&BxHl zk!XG)s2?&;KCPQ>NQW93O6leg1O69y=b-v&eN`_f4r)KmNA!L}Zudb37rn&qPz_$x zA^Bmhi9M_sC*srl(BpuiDe-B&mX-XVa*Nxmle1y{f%ES$r6$;GGj>6vC>Lhs{5aM%Ae$!{S8%@8?F2)8}yB>5W|m{R=8 z`;7&^SBTP?cm#Y0GT24p)4DjQ35)YWl+F}?0)7A)TV?6P`#X`C~xw+Ee|s9;f}@OY-{B_#hr#$DaciO^8qH_7%BMAUiPOiTEUc z1*nr>THgnRJ>925E8oAwzwYAGda6zG?^Zwgdj~S;i`q}?lMczJddOaegH*oH9x-WN z!ioR65+X9hC;3-^Dep8rD;*wof>ms5fn1G$Tk=Qm!Ee0_f2dm!NAAIImwb2spOgG= z--S1_a>~ JE`m#C{{(xqBclKS literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Fail/gcc.helloworld.execstack.5.o b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Fail/gcc.helloworld.execstack.5.o new file mode 100644 index 0000000000000000000000000000000000000000..769c3917f5057d4aa1b2bdc6d01e13d3da514f96 GIT binary patch literal 17656 zcmeHOYit}>6~5!O<4v5bUomkWG?O$HNz+|Fnz)V|C%b-SO`QjcO;eF{y51ez8}?y# zXB#^TC18kZwWdKTf*&AIE8hJCy}Nd*;Ap~4{2x`9-N(k$oPIcGgH z-c2a*2WhUnbME=>`Odv_=FZH$o_jyhJJ46AD1wtm>=CFPsxgru6}0cB42Ym;7pvfS zr`Rl(fnF{#vpi@DC^gfSGQ0E=?g5FsM$8nE8%$WRjLW+)6x_RvyM?-f!~eJMB`XxNIfKJXDb<0;WA&4l|LQrTSQMJTWHt zYo~ZRrD}Q+ES-!M!Dox72b>z!@ znCdHa9cn24EGfLADG?uT+tHMW`4jO}Zo)s&-sW%H5y++kt+IY>7uJD&YTtn&0d8gy zqcF;Av6^%&@5rWKSrPcv(No5&XTP;QI^Cju`*Z9A>qHw&$mcGBI_9wsw2}Qnd=hfh zmqA|Ef1Z>;i9*C8Xy7y4q`TpelqPf;ASfKls@p*FK4VvYQvwmf- ziQ~1x`Z!&+;M^uGo3r5DcMzYq;Cv4tzF@(zU%1JQfExif0&WD{2)Ge&Bj85Bjlg?} zz+bEH_(yo^FW&GI6|Xc25&q1qQI`Kjc6b%8{nIx>gQ4kv4uxm@PXl~pVB5PG z0ZUo#2l!$-=-@ugh zp8N4TA%3&kFrUvSK;8rLX^^`?J_m9DBz_y*{Z>Bz0?6k;u7p`Ve&fWXoH{I&i5g}7 z%1ZA!!tvYv{G0haPPRo)rTlWX1+qKf_f5bh;H&BLHGZ(V>ZJFK*t@Rd?t8b$&xz>w z82rw$9po_~Zouzxz^&hdVTv!Fgx@%{QwJ&fd^Jy%_4^t>>*@8WGv&R$txs0;_?piy z3;WuqD);$Zak6BZvQiR(=J`#d2xU&6o)L!@!EOm|_OdF;CGL`?GbZ!^9|KAB- zAO2r@&6FCprQ3&rEboFdB0E8;2mmw-~M z+~upU^7z*KhSt<7HEUpbZ$R0**5m7_y1!~yReyc0Qdb#lJhfJ-2M;@h$IAs9pjVY| z5mi-tsyx`fC{`i5(Y^AHZxtNn4hd+r(lnM%>P?C4c++?$eL{~K*`_f)kw~9RXA&_X z7W0AV__$mFT%m~NWqca-73B|9D9h^0Jm3`8e5>8tx3}ytBdYq7MlPjyj_N5r6OV!# z$wbFG&6Ve>e-!>=CnK2=|4!9^uvPVsM6#2q=vXG5O6RivT{;UCp;DZXHiAZ*gi{t4O6hucXy13aJEM6D<< zir0x?QM_L8d%^0>1OK(-_kkUUr+1O(mq)y>@cg#h!#y3eB4*wLZ-bhmIKQpz9FO3) zloRK-nG@%?m=k}$9U#pk_$^{D_K1yk05p6OmW#LY&H}uw#c*t4ned4-j_ZysLHxT8 zyqR!*--9Ys9~|NCD#Q)jfeCk^C`GQsLj0N40C-*5())A|;%sD*$H|ZLzBmE6YO&+&B;d7WYXraV z89$3SK75Eo!x!;+!0~*8biO(f&V#Ih{?iyFfJBt+4^cmCBK&KBqrLM!eV+Z3J--pY z4>-2dY5xTax`OPjT|hfi;BfvMw*e-qPWi}3ww-WX>Bx-9*!im z7`!*LS|m3iqUq##LO1kSpuM@RxwsMTaEfb@OeQj^=_w;KDMm7pq^`ws$>bzZESd(E zhRsyd`VNQo_iDWddNkPCWH*Qjt>>Wwq5b{c_7b^;3LqFqXuVSO(QHmO_10Uh^jO4*FlBMCRxoJWtfirqxgiT|?YpzIST?PV zMN%=`xz&FVtYYz$mdomJI*TpANPs?^&5|2ASkN@s_{G7%9brYcdD%CX*_$Q;*~ugf zhCmt_Q;u;ChKqV;Tm(`uHVTZUase16jq4d>(gF?V;;{EG9wR8!)el3fQ6bI8VCWw;U@-$3j4AVZJk4^J47q;i`F{b*@tn9EUwtx>bdCg_ z*AM5eR=!F+mh6taI^BzB9DE+fv%DSuI}U!32rP4s3+D9qyo1m40+#%LA8x<%{C`0F z!k9!QOOj4|)>;0T_;U2UW9#o1IBaXSK}S-O5a9%3F}$FGA8nlPXL z-!)4Et{{|I6Z2UvK%tc{f@IxnO0I{{CFgS!3eXqV&*QWj;&VOBr_*6ocmP0*%nLa4 z?=B!_hWRXU?Fr|trXA$a>DOtC<8>#7eohea5vx<#u%r0<4sl=heT%|bwN{2}}<{&s!@h>cfqX7T_ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Pass/clang.helloworld.noexecstack.4.o b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Pass/clang.helloworld.noexecstack.4.o new file mode 100644 index 0000000000000000000000000000000000000000..884222d7c9a585adeb5337ed56fcceb75b635c64 GIT binary patch literal 17072 zcmeHOYit}>6~41$$4;G$*LFhPCatHmAcx4~UE6WiiIU9vxt2DGNt`x_CX@B<*xs@) z?amfE5+%q5b=!pc7vv8}P%451B0>TMew2hn3BPD6AwU8|RW%~elDa@pp-q-^?%cCG zJKi)EuRqL{X3jm|J>Pwtd*{xb$NlVBblfLNjDnBtW~ixtokRASv6UTM6LOlh{k)NY+eNd8Kc_o|S@Lw6wW znBW}~Jd(@8o+SAbn~TRK;m=Dx9W>N+6l|2As}gN7OkJ}Q7;jKfL#fxu0j@Ddl6W5n z9@g`N26FoWQQn>Wa#pmDB)O+Im7EzI=uIVhQprqlp=Tj9*fThw6|!0%Z}$eM2#%?V zeTUe)yJv^`)9(#${b9@LADw*p`LDci;4Q2-)&cWF8w_YK+{JNBqw+BQgM=0^YOiCs z1u(S^&Y&G}to9%?42&BEE0(v6bS#-+6Vb`x5u;D*)3!nCTsoT(sRra^*HnTUVjan! z#ruAG8Xy#dCOP68d0`s_|eJIFT#f=OE<&Q;nI7DBBy#b z0DLgI(;Il*xG36&(YG2(bDh3)tMxEyO{d1bGtV&q3n%Rt(bd158@*OPkg; zHRCsF{4R;#?tl7Lxr`6tY_!Rb80P;vVEh|A#F0M=$1;?I-(e{r_Bb5R0B#~UuK1t# zO)8yVl*bhHRKu9keX?;>34CEqLC)M2G_Sn&@l&AcAp0QyfArHW}U<_Bq|JC#lD#>*`6;2|3 zz0gk!-hD!+|D-nwo&IyaU+9O$f6@4?iGk8@-Y#dkF6$`lf4)KHgiik~cMJUHxOfh2>)gi543-koH7r7dIsxP1g2DaER6E^WwEHkG*Y32*bY(@?C zX#p+Rvvq4F@8`7Sx6Y*fi9x zf!DB^`|TliP}KJXNc{Z(1OJ`dsYs7~6<|r4!bItt7?&~58eV`?V*``gq>m^ajk4mu zcazd4wZq`>X#lpb(L299e4niBXxZ5^*|7%(r98kkuO|R&@k} zPndD5&|9sIBg!lGzQ&CIou15CENQpk{m;;z%03RKr3~+yF8OpP#N#q_-SxV718bJ+ z**7w}ew~@guyca0^IE)#)w{lAm^J9SthHau==!e3VYZ-sBaQ?acEhN3@pX*mHHSI0 z7G^zFcS1ZaGo`Zs!kH+uRu-yj?`Jem*4no*njdTNc2@6tmstm+eFL@j@Rkn#({TqG zX2s6B_=gz&x8n{nyVnhIU9QZswaGH0yMP;~+24)RU80KP1=zseE>{sdhW8&I^w%+0 ze<=cAcHs{RobG3KE{tu5h{USx#quzW!y&QN{!asrF&qVfY+=4 zo!Z4`Hy9^x))^=D^7%d%4&}PX$z?z#wtAerEbQI&e2wF)$L&p?&+75h0u5*fKP(GB z(7V|Yz|}hAY7^joz}@3&Bj)26&F}Mo6e<7%S>pYz+j-hkujUhB#l@;A6qocjFn$xv-w!sG!n&h zdJ!lN%>YZQ#%NUD@ z93rC!m@yIEKOBx4`^U!*j!hfW;o;~Q=F0bF#S2AVb7q){m=zoCpcylT zg2eht%G+|DVsP6w^EswvvX-gMWs2HNF$vq~k_iEYhbMci z*c{_&^RdD_(-Mmr$j_Em-cAuKxf;cQG^lF~2~6YF*DQ0vVj6Ziq-DA1G;>~b@_Ygq zq}dF+w`~T+A-h;Q8Hcj6kQbb^TnZv~X5a>d0!vt(+4(DYTpVp_R+iVkh9w&mk{4WW9I~l0D9aC-LwkMq=e{}3e*)ZA2cOnYhsAzv zvI7$yNGJI-K(X(sd|Hpwe(z<`e>6UbNB#Iq;GzlfY2Cge77AnsCOin7JMp)?1ei><@@Xr6Xq41_@AjD zc7*sO{|+$4ou)5}3=ccOI<}2KuE)P6_~Uoscie$L610h9cj0#lzPtU;2>!S3z^6K+ zq-)P<8tSvPt777M0Ms5hs6S|2;QKA=JDXvjn?tsIi3$>lE)~|!_4${FY{JJ}1eePG E31gxo_W%F@ literal 0 HcmV?d00001 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Pass/gcc.helloworld.noexecstack.5.o b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestsData/BA3006.EnableNonExecutableStack/Pass/gcc.helloworld.noexecstack.5.o new file mode 100644 index 0000000000000000000000000000000000000000..47d29c3f3772e5d676bde5a44a84c89b72c35db3 GIT binary patch literal 17656 zcmeHOYit}>6~5#3#+y1>zhdG%XeMbYoTj^e)N!3OPImpunmP{>o1`M?WW76HZ`g;~ zoo(VMlu$!et2ND!qVfX-YQ;mMLi7iZKM04E5LJQ_36&r~M1`mZk=6~QGL&XH=gv9n zo$+p>0)LR^$~)(t@1F16J7@09-0QjbGyOvY6^bG_xx_Ak+JRaV2~a`TPRf7?h%T`b zj`xU7Vj1X_5;MyKrhrm2U8%5258*D5$ZNt(3Ax^c1xs!rO5~MGm)vFvOF`#>JXu6K z<1Bwl6|iKyP@hUQ+GI2FSQhgzHuFA{H{WfQD#fLlB=b;3p75LYa5>CGa+d02$??RP z;IE6~X_u<$MX%esAni2g^>N`NZN>#cMcFEn0CD->c;K{g{v^yU8 zG9RS+%3X(Aia$#VuV_icM>{)O5>a0wp30r_o$BiJb$0l(X@9${8{36-V4vEvZ$yBb zS;Q!e@>;AS9m}tMr>_07{`}$G&yK%2Q+596x!HZq>;vmW8%)UOE`d7cu@1B`&;PTK zqrMFCvi^&t1j-z`09Q+ttp%*U1U?LyS^|%h!K(q^RKi|B{2~~xPN8X$Q(yd5j->(-#29kF$gPbp$LQWqZRh)w?~B$tvtWVlTgK}&V2{*`68U}0mK)IaO@XOaw6bFz=?np0Ve`Z1e^#s5pW{# zK_c+Cn!EoQn)<6J^tAgoEkcAoKWkLve;Jy3#dATr$!~iB;2ZgSUj$LJL7+WoKayIX zkb2wfg|V6qpOf}j-gbR(`tqZp={G`Cf0{oqJT&7TfT3_`X60*O5}N70l!w$f3NHSB z4%BJLgl61NpxC}(G(uB$VIG>YJb$%j!&!8Efh5>JBJH;wM6u;oXnH<${;l1i^9!z! zaxrxImaz&PG?D{P{wg#L+R1!u-`Q>~7P+k>p{ed0IMEJGUo%#Op6-4Zl({v~y16JE zF1oLSt{eldh5zT1P)O}Tf5F2;Gus$}vcS8JTwSGRIPk_81zsxbvNS{uPiffm{Kzdi=(TNjZH`D5q+b zbt|eo=LpAd_w#S(^ElZSeO2|PrmFUM11WD;(AygHHured9&b~Rx33Y@1@te0ALsiT2GU7R1e^#s5pW{l zM8JuF69FdzP6V6?{J%zk*ERAwMqZ=Has{6lt#e#S`VVP6z2rL5c^xFKE5*d? zCUFjkiOX-^%BNBP8ZCC@Io6R%M0t&?5SOU@E)y1?CW-4!F*TV&G?HXNG%-u-BzcbL zp^CU2vqXSJpfa()yGdue_wr_YAwCjHui(>Ya92L;R+cqXxWFl_`Br=E`%`7lXg($#7=Ow@vl!Z&!U|;p}88GM-7N(z&cJmpU0wMSTXYl+HpStgnuI z(g%$+ppof}FKd7y_@IJFBAgxP;&?g*1(C5LUEKCWi_Te|=WUIJT;vTghs$qvl`0NL zxxNCnkRV2d{UIh|9$oN1E8gE=#a)8;FIe$Pai+u#=z<3EbI5AHtnmD?;#Gp5Q&!v~ z_+YrF2)62!l2 z!&?dG_dTdG4ZsoZu0q_f9hh(zic;cwodF#E^Y{U6F+Bx8MJ&DU<=X#EXp{pTX!3cmeq{pU5ZxA((0B)+si-;{oq_P4J>Kq|!2`>`7EdW|{3a#&veZjqhz19-Bg$f`TM`-;a@(}7fD6~C8`+I^z z+WvuoL;b_raIj~nAHB+rSCMQ^Hud&ft@LQv2s34IuT~&n*{r3ZmAN4cY^}Sqv}iW1 zjfYcF+_^QlAFQJBl$Oita5{@E!AO8Un$40MIats%*!ac4z#U;Fw|QANmRXx7{MpGQ z42D1&8B>mP4u*?*W1sxYOIF-soPGg%l+SriS*GI}D61mTzG>z_y%0uTOJ8Zw4{3Xa%)z%nfZ@7Kqv z!;D9P&zi|MdydKAJU9<0;}K{MUN=9)Q~06RCZQ(+rjO=gU>Q!upo^0lPmQHHA08de z=#Q}mJ05k;L(DjvNyQSdDKA^kK92`k zs>Q~THwT`JU?*gY`A4XJmYWw%WsaYR3=i7)JicV9vLQ)3|1jY1!rYMC&*M;*Tt9x3 z#bj@P7%-d*GoRTCs@ot24l*69#6BJB}1;?e*VuxIi3@j$2ynrSD--p|8KmQ*P zzc40I$&#eqo^_T#CO%(3o@cP!N$yxMkM*D1_yN@{VL8W!B>DO?{A~ z#O?O1v-~4)Yl`?hzgh4B2#M`XZBb|ZZ79IL$MqM+vA7)p(kxv+9uF~(uj4ns22GgH z|L>Zm0apOZiWBo$E<;`O@$Kh%hWOXZ@cBH3%G4ikH;Jpu@EJxweD5-b@+|R>(}Q&*U(), bypassExtensionValidation: true); } + [Fact] + public void BA3006_EnableNonExecutableStack_Pass() + { + this.VerifyPass(new EnableNonExecutableStack(), bypassExtensionValidation: true); + } + + [Fact] + public void BA3006_EnableNonExecutableStack_Fail() + { + this.VerifyFail(new EnableNonExecutableStack(), bypassExtensionValidation: true); + } + + [Fact] + public void BA3006_EnableNonExecutableStack_NotApplicable() + { + this.VerifyApplicability(new EnableNonExecutableStack(), new HashSet(), bypassExtensionValidation: true); + } + [Fact] public void BA3010_EnableReadOnlyRelocations_Pass() { From 64ecdd72e63c92c193d542d452c8268268052709 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Fri, 4 Jun 2021 14:31:49 -0700 Subject: [PATCH 2/4] fix the error text --- .../BA3006.EnableNonExecutableStack.cs | 6 +- src/BinSkim.Rules/RuleResources.Designer.cs | 24 +- src/BinSkim.Rules/RuleResources.resx | 1048 ++++++++--------- .../Expected/BinSkim.win-x64.ni.dll.sarif | 20 +- .../Expected/BinSkim.win-x86.ni.dll.sarif | 20 +- .../Expected/Binskim.linux-x64.dll.sarif | 16 +- .../Expected/Binskim.win-x64.RTR.dll.sarif | 20 +- .../Expected/Binskim.win-x64.dll.sarif | 16 +- .../Expected/Binskim.win-x86.RTR.dll.sarif | 20 +- .../Expected/Binskim.win-x86.dll.sarif | 16 +- ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 20 +- ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 20 +- ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 20 +- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 20 +- ...otNetCore_win-x64_VS2019_Default.dll.sarif | 20 +- ...otNetCore_win-x64_VS2019_Default.exe.sarif | 20 +- ...otNetCore_win-x86_VS2019_Default.dll.sarif | 20 +- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 16 +- .../Expected/ManagedResourcesOnly.dll.sarif | 16 +- ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 20 +- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 20 +- .../Managed_x64_VS2015_FSharp.exe.sarif | 20 +- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 20 +- .../Managed_x86_VS2015_FSharp.dll.sarif | 20 +- .../MixedMode_x64_VS2013_Default.dll.sarif | 20 +- .../MixedMode_x64_VS2013_NoPdb.exe.sarif | 2 +- .../MixedMode_x64_VS2015_Default.exe.sarif | 20 +- .../MixedMode_x86_VS2013_Default.exe.sarif | 20 +- .../MixedMode_x86_VS2013_MissingPdb.dll.sarif | 2 +- .../MixedMode_x86_VS2015_Default.exe.sarif | 20 +- ...ve_ARM_VS2015_CvtresResourceOnly.dll.sarif | 16 +- .../Native_x64_VS2013_Default.dll.sarif | 20 +- ...ve_x64_VS2015_CvtresResourceOnly.dll.sarif | 16 +- .../Native_x64_VS2015_Default.dll.sarif | 20 +- ...ve_x64_VS2019_Atl_NoPdbGenerated.dll.sarif | 2 +- .../Native_x86_VS2013_Default.exe.sarif | 20 +- .../Native_x86_VS2013_PdbMissing.exe.sarif | 2 +- .../Native_x86_VS2013_ResourceOnly.dll.sarif | 20 +- ...Native_x86_VS2015_AtlProxyStubPS.dll.sarif | 20 +- ...ve_x86_VS2015_CvtresResourceOnly.dll.sarif | 16 +- .../Native_x86_VS2015_Default.exe.sarif | 20 +- .../Native_x86_VS2015_Default_Debug.dll.sarif | 20 +- ...ve_x86_VS2017_15.5.4_PdbStripped.dll.sarif | 2 +- .../Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif | 20 +- .../Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif | 2 +- .../Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif | 2 +- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 20 +- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 20 +- .../Uwp_x64_VS2015_DefaultBlankApp.dll.sarif | 2 +- .../Uwp_x64_VS2015_DefaultBlankApp.exe.sarif | 2 +- .../Expected/Uwp_x64_VS2017_Cpp.dll.sarif | 20 +- .../Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif | 20 +- .../Uwp_x86_VS2015_DefaultBlankApp.dll.sarif | 2 +- .../Uwp_x86_VS2015_DefaultBlankApp.exe.sarif | 2 +- .../Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif | 20 +- .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 20 +- .../Expected/clang.default_compilation.sarif | 20 +- .../Expected/clang.execstack.sarif | 20 +- .../Expected/clang.execstack.so.sarif | 20 +- .../Expected/clang.immediate_binding.sarif | 20 +- .../Expected/clang.no_immediate_binding.sarif | 20 +- .../Expected/clang.no_stack_protector.sarif | 20 +- .../Expected/clang.noexecstack.sarif | 20 +- .../Expected/clang.noexecstack.so.sarif | 20 +- .../Expected/clang.non_pie_executable.sarif | 20 +- .../Expected/clang.object_file.o.sarif | 20 +- .../Expected/clang.pie_executable.sarif | 20 +- .../Expected/clang.relocationsro.sarif | 20 +- .../Expected/clang.relocationsrw.sarif | 20 +- .../Expected/clang.shared_library.so.sarif | 20 +- .../Expected/clang.stack_protector.sarif | 20 +- .../Expected/clang.stack_protector.so.sarif | 20 +- .../Expected/gcc.default_compilation.sarif | 20 +- .../Expected/gcc.execstack.sarif | 20 +- .../Expected/gcc.execstack.so.sarif | 20 +- .../Expected/gcc.fortified.sarif | 20 +- ...oworld.4.o.no-stack-clash-protection.sarif | 20 +- ...oworld.5.o.no-stack-clash-protection.sarif | 20 +- .../gcc.helloworld.execstack.5.o.sarif | 20 +- .../Expected/gcc.helloworld.nodwarf.sarif | 20 +- .../gcc.helloworld.noexecstack.5.o.sarif | 20 +- .../Expected/gcc.immediate_binding.sarif | 20 +- .../gcc.no_fortification_required.sarif | 20 +- .../Expected/gcc.no_immediate_binding.sarif | 20 +- .../Expected/gcc.no_stack_protector.sarif | 20 +- .../Expected/gcc.noexecstack.sarif | 20 +- .../Expected/gcc.noexecstack.so.sarif | 20 +- .../Expected/gcc.non_pie_executable.sarif | 20 +- .../Expected/gcc.object_file.o.sarif | 20 +- .../Expected/gcc.pie_executable.sarif | 20 +- .../Expected/gcc.relocationsro.sarif | 20 +- .../Expected/gcc.relocationsrw.sarif | 20 +- .../Expected/gcc.requiredsymbol.4.o.sarif | 20 +- .../Expected/gcc.requiredsymbol.5.o.sarif | 20 +- .../Expected/gcc.shared_library.so.sarif | 20 +- .../Expected/gcc.stack_protector.sarif | 20 +- .../Expected/gcc.stack_protector.so.sarif | 20 +- .../Expected/gcc.unfortified.sarif | 20 +- 98 files changed, 1374 insertions(+), 1374 deletions(-) diff --git a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs index 3d9136ad1..6324f961c 100644 --- a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs +++ b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs @@ -58,9 +58,9 @@ public override void Analyze(BinaryAnalyzerContext context) if ((elfBinary.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) & SegmentFlags.Execute) != 0) { - // The non-executable stack is not enabled from this binary, - // so '{0}' can have vulnerability of execution of the data written on the stack. - // Ensure you are compiling with the compiler flags '-z noexecstack' to address this. + // The non-executable stack is not enabled for this binary, + // so '{0}' can have a vulnerability of execution of the data written on the stack. + // Ensure you are compiling with the flag '-z noexecstack' to address this. context.Logger.Log(this, RuleUtilities.BuildResult(FailureLevel.Error, context, null, nameof(RuleResources.BA3006_Error), diff --git a/src/BinSkim.Rules/RuleResources.Designer.cs b/src/BinSkim.Rules/RuleResources.Designer.cs index 4bdb419ab..e51aaacb2 100644 --- a/src/BinSkim.Rules/RuleResources.Designer.cs +++ b/src/BinSkim.Rules/RuleResources.Designer.cs @@ -133,7 +133,7 @@ internal static string BA2004_Error_Managed { } /// - /// Looks up a localized string similar to '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: + /// Looks up a localized string similar to '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. /// internal static string BA2004_Error_NativeWithInsecureDirectCompilands { @@ -152,7 +152,7 @@ internal static string BA2004_Pass { } /// - /// Looks up a localized string similar to '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: + /// Looks up a localized string similar to '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. /// internal static string BA2004_Warning_NativeWithInsecureStaticLibraryCompilands { @@ -270,7 +270,7 @@ internal static string BA2007_EnableCriticalCompilerWarnings_Description { } /// - /// Looks up a localized string similar to '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} + /// Looks up a localized string similar to '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} ///Modules triggering this check: {3}. /// internal static string BA2007_Error_InsufficientWarningLevel { @@ -289,8 +289,8 @@ internal static string BA2007_Error_UnknownModuleLanguage { } /// - /// Looks up a localized string similar to '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} - ///Modules tr [rest of string was truncated]";. + /// Looks up a localized string similar to '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} + ///Modules tri [rest of string was truncated]";. /// internal static string BA2007_Error_WarningsDisabled { get { @@ -884,7 +884,7 @@ internal static string BA2024_Warning_DeprecatedMitigationEnabled { } /// - /// Looks up a localized string similar to The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: + /// Looks up a localized string similar to The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: ///{0}. /// internal static string BA2024_Warning_MasmModulesDetected { @@ -894,7 +894,7 @@ internal static string BA2024_Warning_MasmModulesDetected { } /// - /// Looks up a localized string similar to The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: + /// Looks up a localized string similar to The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: ///{0}. /// internal static string BA2024_Warning_OptimizationsDisabled { @@ -904,7 +904,7 @@ internal static string BA2024_Warning_OptimizationsDisabled { } /// - /// Looks up a localized string similar to The following modules were compiled with Spectre mitigations explicitly disabled: + /// Looks up a localized string similar to The following modules were compiled with Spectre mitigations explicitly disabled: ///{0}. /// internal static string BA2024_Warning_SpectreMitigationExplicitlyDisabled { @@ -914,7 +914,7 @@ internal static string BA2024_Warning_SpectreMitigationExplicitlyDisabled { } /// - /// Looks up a localized string similar to The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: + /// Looks up a localized string similar to The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: ///{0}. /// internal static string BA2024_Warning_SpectreMitigationNotEnabled { @@ -1113,7 +1113,7 @@ internal static string BA3006_EnableNonExecutableStack_Description { } /// - /// Looks up a localized string similar to The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this.. + /// Looks up a localized string similar to The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this.. /// internal static string BA3006_Error { get { @@ -1266,7 +1266,7 @@ internal static string NotApplicable_PlatformUnsupported { } /// - /// Looks up a localized string similar to Could not locate the PDB for '{0}'. Probing details: + /// Looks up a localized string similar to Could not locate the PDB for '{0}'. Probing details: ///{1}. /// internal static string PdbLoadFailed { @@ -1276,7 +1276,7 @@ internal static string PdbLoadFailed { } /// - /// Looks up a localized string similar to The PDB for '{0}' was found and loaded. Probing details: + /// Looks up a localized string similar to The PDB for '{0}' was found and loaded. Probing details: ///{1}. /// internal static string PdbLoadSucceeded { diff --git a/src/BinSkim.Rules/RuleResources.resx b/src/BinSkim.Rules/RuleResources.resx index bc6b74d25..6f2e7a8d9 100644 --- a/src/BinSkim.Rules/RuleResources.resx +++ b/src/BinSkim.Rules/RuleResources.resx @@ -1,538 +1,538 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - text/microsoft-resx - - - 2.0 - - - System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 - - - System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 - - - '{0}' is a 64-bit image with a preferred base address below the 4GB boundary. Having a preferred base address below this boundary triggers a compatibility mode in Address Space Layout Randomization (ASLR) on recent versions of Windows that reduces the number of locations to which ASLR may relocate the binary. This reduces the effectiveness of ASLR at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries. - - - 64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries. - - - '{0}' is a 64-bit image with a base address that is >= 4 gigabytes, increasing the effectiveness of Address Space Layout Randomization (which helps prevent attackers from executing security-sensitive code in well-known locations). - - - Binaries should not take dependencies on code with known security vulnerabilities. - - - '{0}' was built with a version of {1} which is subject to the following issues: {2}. To resolve this, {3}. The source files that triggered this were: {4} - - - '{0}' does not incorporate any known vulnerable dependencies, as configured by current policy. - - - Do not ship obsolete libraries for which there are known security vulnerabilities. - - - '{0}' appears to be an obsolete library (version {1}) for which there are known security vulnerabilities. To resolve this issue, obtain a version of {0} that is newer than version {2}. If this binary is not in fact {0}, ignore this warning. - - - Version information for '{0}' could not be parsed. The binary therefore could not be verified not to be an obsolete binary that is known to be vulnerable to one or more security problems. - - - vulnerable binary name and version metadata - - - '{0}' is not known to be an obsolete binary that is vulnerable to one or more security problems. - - - Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks. - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + text/microsoft-resx + + + 2.0 + + + System.Resources.ResXResourceReader, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 + + + System.Resources.ResXResourceWriter, System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 + + + '{0}' is a 64-bit image with a preferred base address below the 4GB boundary. Having a preferred base address below this boundary triggers a compatibility mode in Address Space Layout Randomization (ASLR) on recent versions of Windows that reduces the number of locations to which ASLR may relocate the binary. This reduces the effectiveness of ASLR at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries. + + + 64-bit images should have a preferred base address above the 4GB boundary to prevent triggering an Address Space Layout Randomization (ASLR) compatibility mode that decreases security. ASLR compatibility mode reduces the number of locations to which ASLR may relocate the binary, reducing its effectiveness at mitigating memory corruption vulnerabilities. To resolve this issue, either use the default preferred base address by removing any uses of /baseaddress from compiler command lines, or /BASE from linker command lines (recommended), or configure your program to start at a base address above 4GB when compiled for 64 bit platforms (by changing the constant passed to /baseaddress or /BASE). Note that if you choose to continue using a custom preferred base address, you will need to make this modification only for 64-bit builds, as base addresses above 4GB are not valid for 32-bit binaries. + + + '{0}' is a 64-bit image with a base address that is >= 4 gigabytes, increasing the effectiveness of Address Space Layout Randomization (which helps prevent attackers from executing security-sensitive code in well-known locations). + + + Binaries should not take dependencies on code with known security vulnerabilities. + + + '{0}' was built with a version of {1} which is subject to the following issues: {2}. To resolve this, {3}. The source files that triggered this were: {4} + + + '{0}' does not incorporate any known vulnerable dependencies, as configured by current policy. + + + Do not ship obsolete libraries for which there are known security vulnerabilities. + + + '{0}' appears to be an obsolete library (version {1}) for which there are known security vulnerabilities. To resolve this issue, obtain a version of {0} that is newer than version {2}. If this binary is not in fact {0}, ignore this warning. + + + Version information for '{0}' could not be parsed. The binary therefore could not be verified not to be an obsolete binary that is known to be vulnerable to one or more security problems. + + + vulnerable binary name and version metadata + + + '{0}' is not known to be an obsolete binary that is vulnerable to one or more security problems. + + + Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks. + + '{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: -{2} - - - built with {0} compiler version {1} (Front end version {2}) - - - All linked modules of '{0}' satisfy configured policy (observed compilers: {1}). - - - Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. - - +{2} + + + built with {0} compiler version {1} (Front end version {2}) + + + All linked modules of '{0}' satisfy configured policy (observed compilers: {1}). + + + Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. + + '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} -Modules triggering this check: {3} - - - '{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1} - - +Modules triggering this check: {3} + + + '{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1} + + '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} Modules triggering this check were: -{2} - - - '{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code. - - - Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program. - - - '{0}' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG. - - - '{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries. - - - '{0}' enables the control flow guard mitigation. As a result, the operating system will force an application to close if an attacker is able to redirect execution in the component to an unexpected location. - - - Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later. - - - '{0}' is not marked as DYNAMICBASE. This means that the binary is not eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. To resolve this issue, configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later. - - - '{0}' is marked as DYNAMICBASE but relocation data has been stripped from the image, preventing address space layout randomization. - - - '{0}' is a Windows CE image but does not contain any relocation data, preventing Address Space Layout Randomization. - - - '{0}' is properly compiled to enable Address Space Layout Randomization, reducing an attacker's ability to exploit code in well-known locations. - - - PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the ".rdata" segment into an executable section. - - - '{0}' has the imports section marked executable. Because the loader will always mark the imports section as writable, it is important to mark this section as non-executable, so that an attacker cannot place shellcode here. To resolve this issue, ensure that your program does not mark the imports section as executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the ".rdata" segment into an executable section. - - - '{0}' does not have an imports section that is marked as executable, helping to prevent the exploitation of code vulnerabilities. - - - Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. - - - '{0}' is a C or C++ binary built with the stack protector buffer security feature disabled in one or more modules. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that your code is compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. The affected modules were: {1} - - - '{0}' contains code from an unknown language, preventing a comprehensive analysis of the stack protector buffer security features. The language could not be identified for the following modules: {1}. - - - '{0}' is a C or C++ binary built with the stack protector buffer security feature enabled for all modules, making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. - - - Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the "security cookie", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. - - - '{0}' is a C or C++ binary that interferes with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the "security cookie", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the magic statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. NOTE: the modified cookie value detected was: {1} - - - '{0}' is a C or C++binary that enables the stack protection feature but the security cookie could not be located. The binary may be corrupted. - - - '{0}' is a C or C++ binary built with the buffer security feature that properly preserves the stack protecter cookie. This has the effect of enabling a significant increase in entropy provided by the operating system over that produced by the C runtime start-up code. - - - '{0}' is C or C++binary that does not contain a load config table, which indicates either that it was compiled and linked with a version of the compiler that precedes stack protection features or is a binary (such as an ngen'ed assembly) that is not subject to relevant security issues. - - - '{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}. - - - '{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}. - - - '{0}' is a C or C++ binary that does not initialize the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point. - - - Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point. - - - '{0}' is a C or C++ binary that does not enable the stack protection buffer security feature. It is therefore not required to initialize the stack protector. - - - '{0}' is a C or C++ binary built with the buffer security feature that properly initializes the stack protecter. This has the effect of increasing the effectiveness of the feature and reducing spurious detections. - - - '{0}' is a C or C++ binary that is not required to initialize the stack protection, as it does not contain executable code. - - - Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether. - - - '{0}' is a C or C++ binary built with function(s) ({1}) that disable the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, is disallowed by SDL policy. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether. - - - '{0}' is a C or C++ binary built with the stack protector buffer security feature enabled which does not disable protection for any individual functions (via __declspec(safebuffers), making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. - - - Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible. High entropy allows ASLR to be more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tool chain to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. Binaries must also be compiled as /LARGEADDRESSAWARE in order to enable high entropy ASLR. - - - '{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA as well as /LARGEADDRESSAWARE to the C or C++ linker command line. - - - '{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. (This image was determined to have been properly compiled as /LARGEADDRESSAWARE.) - - - '{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible by supplying /LARGEADDRESSAWARE to the C or C++ linker command line. (This image was determined to have been properly compiled as /HIGHENTROPYVA.) - - - '{0}' is high entropy ASLR compatible, reducing an attacker's ability to exploit code in well-known locations. - - - '{0}' is not marked NX compatible. The NXCompat bit, also known as "Data Execution Prevention" (DEP) or "Execute Disable" (XD), is a processor feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit, because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment. To resolve this issue, ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker. - - - Binaries should be marked as NX compatible to help prevent execution of untrusted data as code. The NXCompat bit, also known as "Data Execution Prevention" (DEP) or "Execute Disable" (XD), triggers a processor security feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit (because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment). Ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker. - - - '{0}' is marked as NX compatible, helping to prevent attackers from executing code that is injected into data segments. - - - X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues. SafeSEH makes it more difficult to exploit vulnerabilities that permit overwriting SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64. - - - '{0}' is an x86 binary which {1}, indicating that it does not enable the SafeSEH mitigation. SafeSEH makes it more difficult to exploit memory corruption vulnerabilities that can overwrite SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64. - - - has an empty SE handler table in the load configuration table - - - contains an unexpectedly small load configuration table {size 0} - - - does not contain a load configuration table - - - has zero SE handlers in the load configuration table - - - '{0}' is an x86 binary that enables SafeSEH, a mitigation that verifies SEH exception jump targets are defined as exception handlers in the program (and not shellcode). - - - '{0}' is an x86 binary that does not use SEH, making it an invalid target for exploits that attempt to replace SEH jump targets with attacker-controlled shellcode. - - - Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.). - - - '{0}' contains one or more code or data sections ({1}) which are marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.). - - - '{0}' contains no data or code sections marked as both shared and writable, helping to prevent the exploitation of code vulnerabilities. - - - PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function. - - - '{0}' contains PE section(s) ({1}) that are both writable and executable. Writable and executable memory segments make it easier for an attacker to exploit memory corruption vulnerabilities, because it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Enabling incremental linking via the /INCREMENTAL argument (the default for Microsoft Visual Studio debug build) can also result in a writable and executable section named 'textbss'. For this case, disable incremental linking (or analyze an alternate build configuration that disables this feature) to resolve the problem. - - - '{0}' has a section alignment ({1}) that is smaller than its page size ({2}). - - - '{0}' contains no data or code sections marked as both shared and executable, helping to prevent the exploitation of code vulnerabilities. - - - '{0}' was signed exclusively with algorithms that WinTrustVerify has flagged as insecure. {1} - - - '{0}' signing was flagged as insecure by WinTrustVerify with error code '{1}' ({2}) - - - '{0}' signing could not be completely verified because '{1}' failed with error code: '{2}'. - - - '{0}' appears to be signed with secure cryptographic algorithms. WinTrustVerify successfully validated the binary but did not attempt to validate certificate chaining or that the root certificate is trusted. The following digitial signature algorithms were detected: {1} - - - Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms. This rule invokes WinTrustVerify to validate that binary hash, signing and public key algorithms are secure and, where configurable, that key sizes meet acceptable size thresholds. - - - Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it. - - +{2} + + + '{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code. + + + Binaries should enable the compiler control guard feature (CFG) at build time to prevent attackers from redirecting execution to unexpected, unsafe locations. CFG analyzes and discovers all indirect-call instructions at compilation and link time. It also injects a check that precedes every indirect call in code that ensures the target is an expected, safe location. If that check fails at runtime, the operating system will close the program. + + + '{0}' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG. + + + '{0}' is a kernel mode portable executable compiled for a version of Windows that does not support the control flow guard feature for kernel mode binaries. + + + '{0}' enables the control flow guard mitigation. As a result, the operating system will force an application to close if an attacker is able to redirect execution in the component to an unexpected location. + + + Binaries should linked as DYNAMICBASE to be eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. Configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later. + + + '{0}' is not marked as DYNAMICBASE. This means that the binary is not eligible for relocation by Address Space Layout Randomization (ASLR). ASLR is an important mitigation that makes it more difficult for an attacker to exploit memory corruption vulnerabilities. To resolve this issue, configure your tools to build with this feature enabled. For C and C++ binaries, add /DYNAMICBASE to your linker command line. For .NET applications, use a compiler shipping with Visual Studio 2008 or later. + + + '{0}' is marked as DYNAMICBASE but relocation data has been stripped from the image, preventing address space layout randomization. + + + '{0}' is a Windows CE image but does not contain any relocation data, preventing Address Space Layout Randomization. + + + '{0}' is properly compiled to enable Address Space Layout Randomization, reducing an attacker's ability to exploit code in well-known locations. + + + PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. Because the loader will always mark the imports section as writable, it is therefore important to mark this section as non-executable. To resolve this issue, ensure that your program does not mark the imports section executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the ".rdata" segment into an executable section. + + + '{0}' has the imports section marked executable. Because the loader will always mark the imports section as writable, it is important to mark this section as non-executable, so that an attacker cannot place shellcode here. To resolve this issue, ensure that your program does not mark the imports section as executable. Look for uses of /SECTION or /MERGE on the linker command line, or #pragma segment in source code, which change the imports section to be executable, or which merge the ".rdata" segment into an executable section. + + + '{0}' does not have an imports section that is marked as executable, helping to prevent the exploitation of code vulnerabilities. + + + Binaries should be built with the stack protector buffer security feature (/GS) enabled to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that all modules compiled into the binary are compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. + + + '{0}' is a C or C++ binary built with the stack protector buffer security feature disabled in one or more modules. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. To resolve this issue, ensure that your code is compiled with the stack protector enabled by supplying /GS on the Visual C++ compiler command line. The affected modules were: {1} + + + '{0}' contains code from an unknown language, preventing a comprehensive analysis of the stack protector buffer security features. The language could not be identified for the following modules: {1}. + + + '{0}' is a C or C++ binary built with the stack protector buffer security feature enabled for all modules, making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. + + + Application code should not interfere with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the "security cookie", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. + + + '{0}' is a C or C++ binary that interferes with the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector relies on a random number, called the "security cookie", to detect these buffer overflows. This 'cookie' is statically linked with your binary from a Visual C++ library in the form of the symbol __security_cookie. On recent Windows versions, the loader looks for the magic statically linked value of this cookie, and initializes the cookie with a far better source of entropy -- the system's secure random number generator -- rather than the limited random number generator available early in the C runtime startup code. When this symbol is not the default value, the additional entropy is not injected by the operating system, reducing the effectiveness of the stack protector. To resolve this issue, ensure that your code does not reference or create a symbol named __security_cookie or __security_cookie_complement. NOTE: the modified cookie value detected was: {1} + + + '{0}' is a C or C++binary that enables the stack protection feature but the security cookie could not be located. The binary may be corrupted. + + + '{0}' is a C or C++ binary built with the buffer security feature that properly preserves the stack protecter cookie. This has the effect of enabling a significant increase in entropy provided by the operating system over that produced by the C runtime start-up code. + + + '{0}' is C or C++binary that does not contain a load config table, which indicates either that it was compiled and linked with a version of the compiler that precedes stack protection features or is a binary (such as an ngen'ed assembly) that is not subject to relevant security issues. + + + '{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}. + + + '{0}' appears to be a packed C or C++ binary that reports a security cookie offset that exceeds the size of the packed file. Use of the stack protector (/GS) feature therefore could not be verified. The file was possibly packed by: {1}. + + + '{0}' is a C or C++ binary that does not initialize the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point. + + + Binaries should properly initialize the stack protector (/GS) in order to increase the difficulty of exploiting stack buffer overflow memory corruption vulnerabilities. The stack protector requires access to entropy in order to be effective, which means a binary must initialize a random number generator at startup, by calling __security_init_cookie() as close to the binary's entry point as possible. Failing to do so will result in spurious buffer overflow detections on the part of the stack protector. To resolve this issue, use the default entry point provided by the C runtime, which will make this call for you, or call __security_init_cookie() manually in your custom entry point. + + + '{0}' is a C or C++ binary that does not enable the stack protection buffer security feature. It is therefore not required to initialize the stack protector. + + + '{0}' is a C or C++ binary built with the buffer security feature that properly initializes the stack protecter. This has the effect of increasing the effectiveness of the feature and reducing spurious detections. + + + '{0}' is a C or C++ binary that is not required to initialize the stack protection, as it does not contain executable code. + + + Application code should not disable stack protection for individual functions. The stack protector (/GS) is a security feature of the Windows native compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, can compromise the security of code. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether. + + + '{0}' is a C or C++ binary built with function(s) ({1}) that disable the stack protector. The stack protector (/GS) is a security feature of the compiler which makes it more difficult to exploit stack buffer overflow memory corruption vulnerabilities. Disabling the stack protector, even on a function-by-function basis, is disallowed by SDL policy. To resolve this issue, remove occurrences of __declspec(safebuffers) from your code. If the additional code inserted by the stack protector has been shown in profiling to cause a significant performance problem for your application, attempt to move stack buffer modifications out of the hot path of execution to allow the compiler to avoid inserting stack protector checks in these locations rather than disabling the stack protector altogether. + + + '{0}' is a C or C++ binary built with the stack protector buffer security feature enabled which does not disable protection for any individual functions (via __declspec(safebuffers), making it more difficult for an attacker to exploit stack buffer overflow memory corruption vulnerabilities. + + + Binaries should be marked as high entropy Address Space Layout Randomization (ASLR) compatible. High entropy allows ASLR to be more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tool chain to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. Binaries must also be compiled as /LARGEADDRESSAWARE in order to enable high entropy ASLR. + + + '{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA as well as /LARGEADDRESSAWARE to the C or C++ linker command line. + + + '{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible; e.g. by supplying /HIGHENTROPYVA to the C or C++ linker command line. (This image was determined to have been properly compiled as /LARGEADDRESSAWARE.) + + + '{0}' does not declare itself as high entropy ASLR compatible. High entropy makes Address Space Layout Randomization more effective in mitigating memory corruption vulnerabilities. To resolve this issue, configure your tools to mark the program high entropy compatible by supplying /LARGEADDRESSAWARE to the C or C++ linker command line. (This image was determined to have been properly compiled as /HIGHENTROPYVA.) + + + '{0}' is high entropy ASLR compatible, reducing an attacker's ability to exploit code in well-known locations. + + + '{0}' is not marked NX compatible. The NXCompat bit, also known as "Data Execution Prevention" (DEP) or "Execute Disable" (XD), is a processor feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit, because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment. To resolve this issue, ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker. + + + Binaries should be marked as NX compatible to help prevent execution of untrusted data as code. The NXCompat bit, also known as "Data Execution Prevention" (DEP) or "Execute Disable" (XD), triggers a processor security feature that allows a program to mark a piece of memory as non-executable. This helps mitigate memory corruption vulnerabilities by preventing an attacker from supplying direct shellcode in their exploit (because the exploit comes in the form of input data to the exploited program on a data segment, rather than on an executable code segment). Ensure that your tools are configured to mark your binaries as NX compatible, e.g. by passing /NXCOMPAT to the C/C++ linker. + + + '{0}' is marked as NX compatible, helping to prevent attackers from executing code that is injected into data segments. + + + X86 binaries should enable the SafeSEH mitigation to minimize exploitable memory corruption issues. SafeSEH makes it more difficult to exploit vulnerabilities that permit overwriting SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64. + + + '{0}' is an x86 binary which {1}, indicating that it does not enable the SafeSEH mitigation. SafeSEH makes it more difficult to exploit memory corruption vulnerabilities that can overwrite SEH control blocks on the stack, by verifying that the location to which a thrown SEH exception would jump is indeed defined as an exception handler in the source program (and not shellcode). To resolve this issue, supply the /SafeSEH flag on the linker command line. Note that you will need to configure your build system to supply this flag for x86 builds only, as the /SafeSEH flag is invalid when linking for ARM and x64. + + + has an empty SE handler table in the load configuration table + + + contains an unexpectedly small load configuration table {size 0} + + + does not contain a load configuration table + + + has zero SE handlers in the load configuration table + + + '{0}' is an x86 binary that enables SafeSEH, a mitigation that verifies SEH exception jump targets are defined as exception handlers in the program (and not shellcode). + + + '{0}' is an x86 binary that does not use SEH, making it an invalid target for exploits that attempt to replace SEH jump targets with attacker-controlled shellcode. + + + Code or data sections should not be marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.). + + + '{0}' contains one or more code or data sections ({1}) which are marked as both shared and writable. Because these sections are shared across processes, this condition might permit a process with low privilege to alter memory in a higher privilege process. If you do not actually require that a section be both writable and shared, remove one or both of these attributes (by modifying your .DEF file, the appropriate linker /section switch arguments, etc.). If you must share common data across processes (for inter-process communication (IPC) or other purposes) use CreateFileMapping with proper security attributes or an actual IPC mechanism instead (COM, named pipes, LPC, etc.). + + + '{0}' contains no data or code sections marked as both shared and writable, helping to prevent the exploitation of code vulnerabilities. + + + PE sections should not be marked as both writable and executable. This condition makes it easier for an attacker to exploit memory corruption vulnerabilities, as it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Be sure to disable incremental linking in release builds, as this feature creates a writable and executable section named '.textbss' in order to function. + + + '{0}' contains PE section(s) ({1}) that are both writable and executable. Writable and executable memory segments make it easier for an attacker to exploit memory corruption vulnerabilities, because it may provide an attacker executable location(s) to inject shellcode. To resolve this issue, configure your tools to not emit memory sections that are writable and executable. For example, look for uses of /SECTION on the linker command line for C and C++ programs, or #pragma section in C and C++ source code, which mark a section with both attributes. Enabling incremental linking via the /INCREMENTAL argument (the default for Microsoft Visual Studio debug build) can also result in a writable and executable section named 'textbss'. For this case, disable incremental linking (or analyze an alternate build configuration that disables this feature) to resolve the problem. + + + '{0}' has a section alignment ({1}) that is smaller than its page size ({2}). + + + '{0}' contains no data or code sections marked as both shared and executable, helping to prevent the exploitation of code vulnerabilities. + + + '{0}' was signed exclusively with algorithms that WinTrustVerify has flagged as insecure. {1} + + + '{0}' signing was flagged as insecure by WinTrustVerify with error code '{1}' ({2}) + + + '{0}' signing could not be completely verified because '{1}' failed with error code: '{2}'. + + + '{0}' appears to be signed with secure cryptographic algorithms. WinTrustVerify successfully validated the binary but did not attempt to validate certificate chaining or that the root certificate is trusted. The following digitial signature algorithms were detected: {1} + + + Images should be correctly signed by trusted publishers using cryptographically secure signature algorithms. This rule invokes WinTrustVerify to validate that binary hash, signing and public key algorithms are secure and, where configurable, that key sizes meet acceptable size thresholds. + + + Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it. + + '{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. -{1} - - +{1} + + The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: -{0} - - +{0} + + The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: -{0} - - +{0} + + The following modules were compiled with Spectre mitigations explicitly disabled: -{0} - - +{0} + + The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: -{0} - - - The MitigatedCompilers configuration entry was incorrect, either because version numbers overlapped or because a starting version number was higher than an ending version number. - - - All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities. - - - The following modules were compiled with a toolset that supports /Qspectre but the deprecated /d2guardspecload argument was specified on the command-line instead: {0} - - - A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc. - - - PIE disabled on executable '{0}'. This means the code section will always be loaded to the same address, even if ASLR is enabled in the Linux kernel. To address this, ensure you are compiling with '-fpie' when using clang/gcc. - - - PIE enabled on executable '{0}'. - - - '{0}' is a shared object library rather than an executable, and is automatically position independent. - - - This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable. - - - GNU_STACK segment on '{0}' is missing, which means the stack will likely be loaded as executable. Ensure you are using an up to date compiler and passing '-z noexecstack' to the compiler. - - - Stack on '{0}' is executable, which means that an attacker could use it as a place to store attack shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable. - - - GNU_STACK segment marked as non-executable on '{0}'. - - - The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected. Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or '--fstack-protector-all' (all functions) to enable this. - - - The stack protector was not found in '{0}'. This may be because the binary has no stack-based arrays, or because '--stack-protector-strong' was not used. - - - Stack protector was found on '{0}'. However, if you are not compiling with '--stack-protector-strong', it may provide additional protections. - - - This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this. - - - The GNU_RELRO segment is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,relro' to address this. - - - The GNU_RELRO segment was present, so '{0}' is protected. - - - This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,now' to enable this. - - - The BIND_NOW flag is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,now' to address this. - - - The BIND_NOW flag was present, so '{0}' is protected. - - - No checked functions are present/used when compiling '{0}', and it was compiled with GCC--and it uses functions that can be checked. The Fortify Source flag replaces some unsafe functions with checked versions when a static length can be determined, and can be enabled by passing '-D_FORTIFY_SOURCE=2' when optimization level 2 ('-O2') is enabled. It is possible that the flag was passed, but that the compiler could not statically determine the length of any buffers/strings. - - - All functions that can be checked in '{0}' are using the checked versions, so this binary is protected from overflows caused by those function's use. - - - No unsafe functions which can be replaced with checked versions are used in '{0}'. - - - Some checked functions were found in '{0}'; however, there were also some unchecked functions, which can occur when the compiler cannot statically determine the length of a buffer/string. We recommend reviewing your usage of functions like memcpy or strcpy. - - - GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2'). - - - '{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}. - - - This check is not supported on the '{0}' platform, as it requires interoperability with a native Windows library. - - - '{0}' was not evaluated for check '{1}' because its PDB could not be loaded ({2}). - - +{0} + + + The MitigatedCompilers configuration entry was incorrect, either because version numbers overlapped or because a starting version number was higher than an ending version number. + + + All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities. + + + The following modules were compiled with a toolset that supports /Qspectre but the deprecated /d2guardspecload argument was specified on the command-line instead: {0} + + + A Position Independent Executable (PIE) relocates all of its sections at load time, including the code section, if ASLR is enabled in the Linux kernel (instead of just the stack/heap). This makes ROP-style attacks more difficult. This can be enabled by passing '-f pie' to clang/gcc. + + + PIE disabled on executable '{0}'. This means the code section will always be loaded to the same address, even if ASLR is enabled in the Linux kernel. To address this, ensure you are compiling with '-fpie' when using clang/gcc. + + + PIE enabled on executable '{0}'. + + + '{0}' is a shared object library rather than an executable, and is automatically position independent. + + + This checks if a binary has an executable stack; an executable stack allows attackers to redirect code flow into stack memory, which is an easy place for an attacker to store shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable. + + + GNU_STACK segment on '{0}' is missing, which means the stack will likely be loaded as executable. Ensure you are using an up to date compiler and passing '-z noexecstack' to the compiler. + + + Stack on '{0}' is executable, which means that an attacker could use it as a place to store attack shellcode. Ensure you are compiling with '-z noexecstack' to mark the stack as non-executable. + + + GNU_STACK segment marked as non-executable on '{0}'. + + + The stack protector ensures that all functions that use buffers over a certain size will use a stack cookie (and check it) to prevent stack based buffer overflows, exiting if stack smashing is detected. Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or '--fstack-protector-all' (all functions) to enable this. + + + The stack protector was not found in '{0}'. This may be because the binary has no stack-based arrays, or because '--stack-protector-strong' was not used. + + + Stack protector was found on '{0}'. However, if you are not compiling with '--stack-protector-strong', it may provide additional protections. + + + This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,relro' to enable this. + + + The GNU_RELRO segment is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,relro' to address this. + + + The GNU_RELRO segment was present, so '{0}' is protected. + + + This check ensures that some relocation data is marked as read only after the executable is loaded, and moved below the '.data' section in memory. This prevents them from being overwritten, which can redirect control flow. Use the compiler flags '-Wl,z,now' to enable this. + + + The BIND_NOW flag is missing from this binary, so relocation sections in '{0}' will not be marked as read only after the binary is loaded. An attacker can overwrite these to redirect control flow. Ensure you are compiling with the compiler flags '-Wl,z,now' to address this. + + + The BIND_NOW flag was present, so '{0}' is protected. + + + No checked functions are present/used when compiling '{0}', and it was compiled with GCC--and it uses functions that can be checked. The Fortify Source flag replaces some unsafe functions with checked versions when a static length can be determined, and can be enabled by passing '-D_FORTIFY_SOURCE=2' when optimization level 2 ('-O2') is enabled. It is possible that the flag was passed, but that the compiler could not statically determine the length of any buffers/strings. + + + All functions that can be checked in '{0}' are using the checked versions, so this binary is protected from overflows caused by those function's use. + + + No unsafe functions which can be replaced with checked versions are used in '{0}'. + + + Some checked functions were found in '{0}'; however, there were also some unchecked functions, which can occur when the compiler cannot statically determine the length of a buffer/string. We recommend reviewing your usage of functions like memcpy or strcpy. + + + GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2'). + + + '{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}. + + + This check is not supported on the '{0}' platform, as it requires interoperability with a native Windows library. + + + '{0}' was not evaluated for check '{1}' because its PDB could not be loaded ({2}). + + Could not locate the PDB for '{0}'. Probing details: -{1} - - +{1} + + The PDB for '{0}' was found and loaded. Probing details: -{1} - - - '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing. - - - '{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm. - - +{1} + + + '{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project <ChecksumAlgorithm> property with 'SHA256' to enable secure source code hashing. + + + '{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm. + + '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: -{1} - - - Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '<ChecksumAlgorithm>' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. - - +{1} + + + Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '<ChecksumAlgorithm>' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. + + '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: -{1} - - - '{0}' is a managed assembly that was compiled with an outdated toolchain ({1}) that does not support security features (such as SHA256 PDB checksums and reproducible builds) that must be enabled by policy. To resolve this issue, compile with more recent tools ({2} or later). - - - '{0}' is a managed assembly that was compiled with toolchain ({1}) that supports all security features that must be enabled by policy. - - - This rule emits CSV data to the console for every compiler/language/version combination that's observed in any PDB-linked compiland. - - - Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks. - - - '{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines. - - - '{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. - - - '{0}' is using debugging dwarf version '{1}'. The dwarf version 5 contains more information and should be used. To enable the debugging version 5 use '-gdwarf-5'. - - - The version of the debugging dwarf format is '{0}' for the file '{1}' - - - This check ensures that debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used. Use the compiler flags '-gdwarf-5' to enable this. - - - The Stack Clash Protection is missing from this binary, so the stack from '{0}' can clash/colide with another memory region. Ensure you are compiling with the compiler flags '-fstack-clash-protection' to address this. - - - This check ensures that stack clash protection is enabled. Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. Use the compiler flags '-fstack-clash-protection' to enable this. - - - The Stack Clash Protection was present, so '{0}' is protected. - - - This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this. - - - The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this. - - - The enable non-executable stack flag was present, so '{0}' is protected. - +{1} + + + '{0}' is a managed assembly that was compiled with an outdated toolchain ({1}) that does not support security features (such as SHA256 PDB checksums and reproducible builds) that must be enabled by policy. To resolve this issue, compile with more recent tools ({2} or later). + + + '{0}' is a managed assembly that was compiled with toolchain ({1}) that supports all security features that must be enabled by policy. + + + This rule emits CSV data to the console for every compiler/language/version combination that's observed in any PDB-linked compiland. + + + Control-flow Enforcement Technology (CET) Shadow Stack is a computer processor feature that provides capabilities to defend against return-oriented programming (ROP) based malware attacks. + + + '{0}' does not enable the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. To resolve this issue, pass /CETCOMPAT on the linker command lines. + + + '{0}' enables the Control-flow Enforcement Technology (CET) Shadow Stack mitigation. + + + '{0}' is using debugging dwarf version '{1}'. The dwarf version 5 contains more information and should be used. To enable the debugging version 5 use '-gdwarf-5'. + + + The version of the debugging dwarf format is '{0}' for the file '{1}' + + + This check ensures that debugging dwarf version used is 5. The dwarf version 5 contains more information and should be used. Use the compiler flags '-gdwarf-5' to enable this. + + + The Stack Clash Protection is missing from this binary, so the stack from '{0}' can clash/colide with another memory region. Ensure you are compiling with the compiler flags '-fstack-clash-protection' to address this. + + + This check ensures that stack clash protection is enabled. Each program running on a computer uses a special memory region called the stack. This memory region is special because it grows automatically when the program needs more stack memory. But if it grows too much and gets too close to another memory region, the program may confuse the stack with the other memory region. An attacker can exploit this confusion to overwrite the stack with the other memory region, or the other way around. Use the compiler flags '-fstack-clash-protection' to enable this. + + + The Stack Clash Protection was present, so '{0}' is protected. + + + This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this. + + + The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this. + + + The enable non-executable stack flag was present, so '{0}' is protected. + \ No newline at end of file diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 37b104323..8159e665c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -780,7 +780,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -811,10 +811,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1035,16 +1035,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1207,7 +1207,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index 4fb870fc0..ab41f3e6c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -778,13 +778,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -803,7 +803,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -834,10 +834,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1005,16 +1005,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1177,7 +1177,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index f03e7e6f8..a3ff66b5e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -759,7 +759,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -790,10 +790,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1073,16 +1073,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1245,7 +1245,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index 24ed355d8..a46b0a87f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -780,7 +780,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -811,10 +811,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1035,16 +1035,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1207,7 +1207,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index f29808b13..be5742eb7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -759,7 +759,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -790,10 +790,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1073,16 +1073,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1245,7 +1245,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index ecc187c54..317978922 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -778,13 +778,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -803,7 +803,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -834,10 +834,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1005,16 +1005,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1177,7 +1177,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index ae5acfbcd..3b3e85240 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -755,7 +755,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -786,10 +786,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1016,16 +1016,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1188,7 +1188,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index 642698055..914a70b38 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1268,7 +1268,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index df36f43aa..d313e004b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1268,7 +1268,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index faf8a1fdc..7a34b118d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -778,7 +778,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -809,10 +809,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1039,16 +1039,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1211,7 +1211,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1305,13 +1305,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 567a4806f..1c569a368 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1268,7 +1268,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index fa5d2c23a..934ab47a4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1268,7 +1268,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index 630be6a99..ebd51f61b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -751,13 +751,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -776,7 +776,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -807,10 +807,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -972,16 +972,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1144,7 +1144,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index a01d6e03f..5f7b0bc6a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -778,7 +778,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -809,10 +809,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1039,16 +1039,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1211,7 +1211,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1305,13 +1305,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index 1f17a7187..f0da911aa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -755,7 +755,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -786,10 +786,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1016,16 +1016,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1188,7 +1188,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index b1247d31a..cc49edd7d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -758,7 +758,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -789,10 +789,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1072,16 +1072,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1244,7 +1244,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index 410ea4ead..400073c4a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -772,7 +772,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -803,10 +803,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1002,16 +1002,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1174,7 +1174,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1268,13 +1268,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index a9d17df8a..71fbeb981 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1208,7 +1208,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index 8070a4c51..ac2a4459b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -777,7 +777,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -808,10 +808,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1060,16 +1060,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1232,7 +1232,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1326,13 +1326,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index fa0243f68..c9060e047 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1208,7 +1208,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index 51434efa2..419e1c709 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1208,7 +1208,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index 2637b236d..c5f161dc6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -961,7 +961,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1105,13 +1105,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1158,7 +1158,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1189,10 +1189,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1472,16 +1472,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif index 68d0e07b6..77c71880b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif @@ -709,7 +709,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index 486deb82e..7ca0bb516 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -928,7 +928,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1072,13 +1072,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1125,7 +1125,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1156,10 +1156,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1470,16 +1470,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index 86968d9ec..e2d8f5a10 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -897,7 +897,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1016,13 +1016,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1069,7 +1069,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1100,10 +1100,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif index 6dc251149..8f046ea73 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif @@ -712,7 +712,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index 4040d6595..25b5be9de 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -897,7 +897,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1016,13 +1016,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1069,7 +1069,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1100,10 +1100,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif index bd9d11118..4f9d1594d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif @@ -757,7 +757,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -788,10 +788,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1046,16 +1046,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1218,7 +1218,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif index 1da222857..7d45783f8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif @@ -961,7 +961,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1105,13 +1105,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1158,7 +1158,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1189,10 +1189,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1472,16 +1472,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif index 9965a8195..261e05dd4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif @@ -757,7 +757,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -788,10 +788,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1046,16 +1046,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1218,7 +1218,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif index efdad29de..fc0236f7a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif @@ -930,7 +930,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1074,13 +1074,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1127,7 +1127,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1158,10 +1158,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1469,16 +1469,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif index 46b8caef9..e2f51ad25 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif @@ -711,7 +711,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif index 35b57cb13..1fabbdfc2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif @@ -931,7 +931,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1050,13 +1050,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1103,7 +1103,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1134,10 +1134,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1470,16 +1470,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif index 86802d5f3..b0151cfca 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif @@ -712,7 +712,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif index a2c076737..71ddf7979 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif @@ -780,7 +780,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -811,10 +811,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1069,16 +1069,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1241,7 +1241,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1335,13 +1335,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif index 6809a6910..3591e2074 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif @@ -901,7 +901,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1020,13 +1020,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1073,7 +1073,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1104,10 +1104,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1468,16 +1468,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif index 5a3b966eb..f902ac38a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif @@ -757,7 +757,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -788,10 +788,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1046,16 +1046,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1218,7 +1218,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif index 08bbb4284..449ad8313 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif @@ -900,7 +900,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1019,13 +1019,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1072,7 +1072,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1103,10 +1103,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif index 35a6544cf..c6f731569 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif @@ -900,7 +900,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1019,13 +1019,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1072,7 +1072,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1103,10 +1103,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif index aef7a649f..4c2d99ad0 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif @@ -682,7 +682,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif index 670521a79..f73d94833 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif @@ -817,16 +817,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -989,7 +989,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1133,13 +1133,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1186,7 +1186,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1217,10 +1217,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif index b98d27f00..df8588121 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif @@ -934,7 +934,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif index 9b9277638..4669fd17b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif @@ -742,7 +742,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index a6fbb18a9..9ae72639b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -777,7 +777,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -808,10 +808,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1066,16 +1066,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1238,7 +1238,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1332,13 +1332,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index 6f89561bb..a85e26e6f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1208,7 +1208,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif index 6bbe8ea10..905189c31 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif @@ -934,7 +934,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif index a64ae4d7f..bfe5acc5f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif @@ -709,7 +709,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif index dde795898..e1ec82f1d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif @@ -787,16 +787,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -959,7 +959,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1078,13 +1078,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1131,7 +1131,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1162,10 +1162,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif index 74b4da1ae..921e66202 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif @@ -784,16 +784,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -956,7 +956,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1100,13 +1100,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1153,7 +1153,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1184,10 +1184,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif index 33c97dbb6..862b39010 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif @@ -904,7 +904,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif index 54d2da0f7..b765c05aa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif @@ -712,7 +712,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif index 7881d20e2..3d668e4d5 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif @@ -787,16 +787,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -959,7 +959,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1078,13 +1078,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1131,7 +1131,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1162,10 +1162,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index 383348127..264009b58 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -778,13 +778,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -803,7 +803,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -834,10 +834,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1005,16 +1005,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1177,7 +1177,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif index d787c7271..d789dee1f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1412,7 +1412,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif index f6d2722a0..a05ce70f9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1410,7 +1410,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif index 899e31b42..33584bf43 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1411,7 +1411,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif index 846b1f830..3b81ca244 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1413,7 +1413,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif index c98b8ba91..626ef2b9b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1412,7 +1412,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif index 27cd03e54..031290e0a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1412,7 +1412,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif index f6324a07f..0a4a610fa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1412,7 +1412,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif index 747cee5ae..aa084c70a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1413,7 +1413,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif index 1cb6882fe..34a0abed9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1412,7 +1412,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif index 220392a7f..56c2d3fc6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif @@ -770,13 +770,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -823,7 +823,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -854,10 +854,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1249,16 +1249,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1399,7 +1399,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif index b81a535c9..393765e5c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1413,7 +1413,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif index 1438db1d4..711ec9bef 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1412,7 +1412,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif index 8609088f8..0ecd27851 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1411,7 +1411,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif index fc8e6875e..7ca947325 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1413,7 +1413,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif index 1d3288eb4..fac12110d 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1413,7 +1413,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif index 556c3140c..f85a18d37 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif @@ -757,13 +757,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -810,7 +810,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -841,10 +841,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1236,16 +1236,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1414,7 +1414,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif index 3dce0cf40..5c5f06a2e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif index 8d6f0a310..419a51121 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif @@ -751,13 +751,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -804,7 +804,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -835,10 +835,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1230,16 +1230,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif index 64812321c..963b58f26 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif @@ -752,13 +752,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -805,7 +805,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -836,10 +836,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1231,16 +1231,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1381,7 +1381,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif index 21f1fcad4..287bfd7c4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1383,7 +1383,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif index eec6dc345..afc18d819 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif @@ -774,13 +774,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -827,7 +827,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -858,10 +858,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1253,16 +1253,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1425,7 +1425,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif index 25860f421..da61c20b5 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif @@ -775,13 +775,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -828,7 +828,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -859,10 +859,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1254,16 +1254,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1426,7 +1426,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif index afdd7f7ba..9514f0864 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif @@ -774,13 +774,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -827,7 +827,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -858,10 +858,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1253,16 +1253,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1425,7 +1425,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif index fe3bead31..21cecee2e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1384,7 +1384,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif index 54f5738ce..2ce56573e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif @@ -776,13 +776,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -829,7 +829,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -860,10 +860,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1255,16 +1255,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1427,7 +1427,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif index c8b6d8f63..7d336b11b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1383,7 +1383,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif index 8b6d1c4ea..3bd83fc67 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif index 221e70a11..230bd2807 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif index 3835ba4b2..4eb0c5565 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif @@ -752,13 +752,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -805,7 +805,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -836,10 +836,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1231,16 +1231,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1381,7 +1381,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif index 9b505ff54..eea48a014 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif index 07bf3ff49..ec35c7917 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1383,7 +1383,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif index 8b417031d..22237bd95 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif index 832904953..3644fe84e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif @@ -770,13 +770,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -823,7 +823,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -854,10 +854,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1249,16 +1249,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1399,7 +1399,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif index 9dbce806a..2827f1a5c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1383,7 +1383,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif index 511e841b5..b1702b658 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif index 2d35041d9..972c60597 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif @@ -752,13 +752,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -805,7 +805,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -836,10 +836,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1231,16 +1231,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1381,7 +1381,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif index 67f585624..d366a7de8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif @@ -775,13 +775,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -828,7 +828,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -859,10 +859,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1254,16 +1254,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1426,7 +1426,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif index 2d53afcf2..668637054 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif @@ -776,13 +776,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -829,7 +829,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -860,10 +860,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1255,16 +1255,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1427,7 +1427,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif index 209bf7a18..f62ec6d38 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1383,7 +1383,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif index 725fc20e5..cc33acbb6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif index 9b7062411..6ee0cb96e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1383,7 +1383,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif index a9f0752e0..bc1524d17 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1382,7 +1382,7 @@ "text": "The enable non-executable stack flag was present, so '{0}' is protected." }, "Error": { - "text": "The non-executable stack is not enabled from this binary, so '{0}' can have vulnerability of execution of the data written on the stack. Ensure you are compiling with the compiler flags '-z noexecstack' to address this." + "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." From e1c9b10fa1b4f5749e6d095ae14ad59f66559e92 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Fri, 4 Jun 2021 14:38:01 -0700 Subject: [PATCH 3/4] fix CRLF --- .../BA3006.EnableNonExecutableStack.cs | 152 +++++++++--------- 1 file changed, 76 insertions(+), 76 deletions(-) diff --git a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs index 6324f961c..6fba42eb7 100644 --- a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs +++ b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs @@ -1,78 +1,78 @@ -// Copyright (c) Microsoft. All rights reserved. -// Licensed under the MIT license. See LICENSE file in the project root for full license information. - -using System.Collections.Generic; -using System.Composition; - -using ELFSharp.ELF.Segments; - -using Microsoft.CodeAnalysis.BinaryParsers; -using Microsoft.CodeAnalysis.BinaryParsers.ELF; -using Microsoft.CodeAnalysis.IL.Sdk; -using Microsoft.CodeAnalysis.Sarif; -using Microsoft.CodeAnalysis.Sarif.Driver; - -namespace Microsoft.CodeAnalysis.IL.Rules -{ - [Export(typeof(Skimmer)), Export(typeof(ReportingDescriptor))] - public class EnableNonExecutableStack : ELFBinarySkimmerBase - { - /// - /// BA3006 - /// - public override string Id => RuleIds.EnableNonExecutableStack; - - /// - /// This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. - /// An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, - /// writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. - /// One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections - /// of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this. - /// - public override MultiformatMessageString FullDescription => - new MultiformatMessageString { Text = RuleResources.BA3006_EnableNonExecutableStack_Description }; - - protected override IEnumerable MessageResourceNames => new string[] { - nameof(RuleResources.BA3006_Pass), - nameof(RuleResources.BA3006_Error), - nameof(RuleResources.NotApplicable_InvalidMetadata) - }; - - public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) - { - reasonForNotAnalyzing = null; - - if (target.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) == null) - { - reasonForNotAnalyzing = MetadataConditions.ElfNotContainSegment; - return AnalysisApplicability.NotApplicableToSpecifiedTarget; - } - - reasonForNotAnalyzing = null; - return AnalysisApplicability.ApplicableToSpecifiedTarget; - } - - public override void Analyze(BinaryAnalyzerContext context) - { - ELFBinary elfBinary = context.ELFBinary(); - - if ((elfBinary.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) & SegmentFlags.Execute) != 0) - { +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Collections.Generic; +using System.Composition; + +using ELFSharp.ELF.Segments; + +using Microsoft.CodeAnalysis.BinaryParsers; +using Microsoft.CodeAnalysis.BinaryParsers.ELF; +using Microsoft.CodeAnalysis.IL.Sdk; +using Microsoft.CodeAnalysis.Sarif; +using Microsoft.CodeAnalysis.Sarif.Driver; + +namespace Microsoft.CodeAnalysis.IL.Rules +{ + [Export(typeof(Skimmer)), Export(typeof(ReportingDescriptor))] + public class EnableNonExecutableStack : ELFBinarySkimmerBase + { + /// + /// BA3006 + /// + public override string Id => RuleIds.EnableNonExecutableStack; + + /// + /// This check ensures that non-executable stack is enabled. A common type of exploit is the stack buffer overflow. + /// An application receives, from an attacker, more data than it is prepared for and stores this information on its stack, + /// writing beyond the space reserved for it. This can be designed to cause execution of the data written on the stack. + /// One mechanism to mitigate this vulnerability is for the system to not allow the execution of instructions in sections + /// of memory identified as part of the stack. Use the compiler flags '-z noexecstack' to enable this. + /// + public override MultiformatMessageString FullDescription => + new MultiformatMessageString { Text = RuleResources.BA3006_EnableNonExecutableStack_Description }; + + protected override IEnumerable MessageResourceNames => new string[] { + nameof(RuleResources.BA3006_Pass), + nameof(RuleResources.BA3006_Error), + nameof(RuleResources.NotApplicable_InvalidMetadata) + }; + + public override AnalysisApplicability CanAnalyzeElf(ELFBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) + { + reasonForNotAnalyzing = null; + + if (target.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) == null) + { + reasonForNotAnalyzing = MetadataConditions.ElfNotContainSegment; + return AnalysisApplicability.NotApplicableToSpecifiedTarget; + } + + reasonForNotAnalyzing = null; + return AnalysisApplicability.ApplicableToSpecifiedTarget; + } + + public override void Analyze(BinaryAnalyzerContext context) + { + ELFBinary elfBinary = context.ELFBinary(); + + if ((elfBinary.GetSegmentFlags(ELFSegmentType.PT_GNU_STACK) & SegmentFlags.Execute) != 0) + { // The non-executable stack is not enabled for this binary, // so '{0}' can have a vulnerability of execution of the data written on the stack. - // Ensure you are compiling with the flag '-z noexecstack' to address this. - context.Logger.Log(this, - RuleUtilities.BuildResult(FailureLevel.Error, context, null, - nameof(RuleResources.BA3006_Error), - context.TargetUri.GetFileName())); - return; - } - - // The enable non-executable stack flag was present, so '{0}' is protected. - context.Logger.Log(this, - RuleUtilities.BuildResult(ResultKind.Pass, context, null, - nameof(RuleResources.BA3006_Pass), - context.TargetUri.GetFileName())); - } - } -} + // Ensure you are compiling with the flag '-z noexecstack' to address this. + context.Logger.Log(this, + RuleUtilities.BuildResult(FailureLevel.Error, context, null, + nameof(RuleResources.BA3006_Error), + context.TargetUri.GetFileName())); + return; + } + + // The enable non-executable stack flag was present, so '{0}' is protected. + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Pass, context, null, + nameof(RuleResources.BA3006_Pass), + context.TargetUri.GetFileName())); + } + } +} From e8344564b10c9a918c8b7d96ca3a6b488ae5d288 Mon Sep 17 00:00:00 2001 From: Shaopeng Li Date: Mon, 7 Jun 2021 13:27:57 -0700 Subject: [PATCH 4/4] removed "enable" in text --- .../BA3006.EnableNonExecutableStack.cs | 2 +- src/BinSkim.Rules/RuleResources.Designer.cs | 24 ++++++++-------- src/BinSkim.Rules/RuleResources.resx | 28 +++++++++---------- .../Expected/BinSkim.win-x64.ni.dll.sarif | 20 ++++++------- .../Expected/BinSkim.win-x86.ni.dll.sarif | 20 ++++++------- .../Expected/Binskim.linux-x64.dll.sarif | 16 +++++------ .../Expected/Binskim.win-x64.RTR.dll.sarif | 20 ++++++------- .../Expected/Binskim.win-x64.dll.sarif | 16 +++++------ .../Expected/Binskim.win-x86.RTR.dll.sarif | 20 ++++++------- .../Expected/Binskim.win-x86.dll.sarif | 16 +++++------ ...ore_RTR_linux-x64_VS2019_Default.dll.sarif | 20 ++++++------- ...tCore_RTR_win-x64_VS2019_Default.dll.sarif | 20 ++++++------- ...tCore_RTR_win-x86_VS2019_Default.dll.sarif | 20 ++++++------- ...NetCore_linux-x64_VS2019_Default.dll.sarif | 20 ++++++------- ...otNetCore_win-x64_VS2019_Default.dll.sarif | 20 ++++++------- ...otNetCore_win-x64_VS2019_Default.exe.sarif | 20 ++++++------- ...otNetCore_win-x86_VS2019_Default.dll.sarif | 20 ++++++------- ...InteropAssemblyForAtlTestLibrary.dll.sarif | 16 +++++------ .../Expected/ManagedResourcesOnly.dll.sarif | 16 +++++------ ...aged_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif | 20 ++++++------- ...anaged_AnyCPU_VS2017_Prefer32Bit.exe.sarif | 20 ++++++------- .../Managed_x64_VS2015_FSharp.exe.sarif | 20 ++++++------- .../Expected/Managed_x86_VS2013_Wpf.exe.sarif | 20 ++++++------- .../Managed_x86_VS2015_FSharp.dll.sarif | 20 ++++++------- .../MixedMode_x64_VS2013_Default.dll.sarif | 20 ++++++------- .../MixedMode_x64_VS2013_NoPdb.exe.sarif | 2 +- .../MixedMode_x64_VS2015_Default.exe.sarif | 20 ++++++------- .../MixedMode_x86_VS2013_Default.exe.sarif | 20 ++++++------- .../MixedMode_x86_VS2013_MissingPdb.dll.sarif | 2 +- .../MixedMode_x86_VS2015_Default.exe.sarif | 20 ++++++------- ...ve_ARM_VS2015_CvtresResourceOnly.dll.sarif | 16 +++++------ .../Native_x64_VS2013_Default.dll.sarif | 20 ++++++------- ...ve_x64_VS2015_CvtresResourceOnly.dll.sarif | 16 +++++------ .../Native_x64_VS2015_Default.dll.sarif | 20 ++++++------- ...ve_x64_VS2019_Atl_NoPdbGenerated.dll.sarif | 2 +- .../Native_x86_VS2013_Default.exe.sarif | 20 ++++++------- .../Native_x86_VS2013_PdbMissing.exe.sarif | 2 +- .../Native_x86_VS2013_ResourceOnly.dll.sarif | 20 ++++++------- ...Native_x86_VS2015_AtlProxyStubPS.dll.sarif | 20 ++++++------- ...ve_x86_VS2015_CvtresResourceOnly.dll.sarif | 16 +++++------ .../Native_x86_VS2015_Default.exe.sarif | 20 ++++++------- .../Native_x86_VS2015_Default_Debug.dll.sarif | 20 ++++++------- ...ve_x86_VS2017_15.5.4_PdbStripped.dll.sarif | 2 +- .../Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif | 20 ++++++------- .../Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif | 2 +- .../Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif | 2 +- .../Expected/Uwp_ARM_VS2017_VB.dll.sarif | 20 ++++++------- ...wp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif | 20 ++++++------- .../Uwp_x64_VS2015_DefaultBlankApp.dll.sarif | 2 +- .../Uwp_x64_VS2015_DefaultBlankApp.exe.sarif | 2 +- .../Expected/Uwp_x64_VS2017_Cpp.dll.sarif | 20 ++++++------- .../Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif | 20 ++++++------- .../Uwp_x86_VS2015_DefaultBlankApp.dll.sarif | 2 +- .../Uwp_x86_VS2015_DefaultBlankApp.exe.sarif | 2 +- .../Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif | 20 ++++++------- .../Wix_3.11.1_VS2017_Bootstrapper.exe.sarif | 20 ++++++------- .../Expected/clang.default_compilation.sarif | 20 ++++++------- .../Expected/clang.execstack.sarif | 20 ++++++------- .../Expected/clang.execstack.so.sarif | 20 ++++++------- .../Expected/clang.immediate_binding.sarif | 20 ++++++------- .../Expected/clang.no_immediate_binding.sarif | 20 ++++++------- .../Expected/clang.no_stack_protector.sarif | 20 ++++++------- .../Expected/clang.noexecstack.sarif | 20 ++++++------- .../Expected/clang.noexecstack.so.sarif | 20 ++++++------- .../Expected/clang.non_pie_executable.sarif | 20 ++++++------- .../Expected/clang.object_file.o.sarif | 20 ++++++------- .../Expected/clang.pie_executable.sarif | 20 ++++++------- .../Expected/clang.relocationsro.sarif | 20 ++++++------- .../Expected/clang.relocationsrw.sarif | 20 ++++++------- .../Expected/clang.shared_library.so.sarif | 20 ++++++------- .../Expected/clang.stack_protector.sarif | 20 ++++++------- .../Expected/clang.stack_protector.so.sarif | 20 ++++++------- .../Expected/gcc.default_compilation.sarif | 20 ++++++------- .../Expected/gcc.execstack.sarif | 20 ++++++------- .../Expected/gcc.execstack.so.sarif | 20 ++++++------- .../Expected/gcc.fortified.sarif | 20 ++++++------- ...oworld.4.o.no-stack-clash-protection.sarif | 20 ++++++------- ...oworld.5.o.no-stack-clash-protection.sarif | 20 ++++++------- .../gcc.helloworld.execstack.5.o.sarif | 20 ++++++------- .../Expected/gcc.helloworld.nodwarf.sarif | 20 ++++++------- .../gcc.helloworld.noexecstack.5.o.sarif | 20 ++++++------- .../Expected/gcc.immediate_binding.sarif | 20 ++++++------- .../gcc.no_fortification_required.sarif | 20 ++++++------- .../Expected/gcc.no_immediate_binding.sarif | 20 ++++++------- .../Expected/gcc.no_stack_protector.sarif | 20 ++++++------- .../Expected/gcc.noexecstack.sarif | 20 ++++++------- .../Expected/gcc.noexecstack.so.sarif | 20 ++++++------- .../Expected/gcc.non_pie_executable.sarif | 20 ++++++------- .../Expected/gcc.object_file.o.sarif | 20 ++++++------- .../Expected/gcc.pie_executable.sarif | 20 ++++++------- .../Expected/gcc.relocationsro.sarif | 20 ++++++------- .../Expected/gcc.relocationsrw.sarif | 20 ++++++------- .../Expected/gcc.requiredsymbol.4.o.sarif | 20 ++++++------- .../Expected/gcc.requiredsymbol.5.o.sarif | 20 ++++++------- .../Expected/gcc.shared_library.so.sarif | 20 ++++++------- .../Expected/gcc.stack_protector.sarif | 20 ++++++------- .../Expected/gcc.stack_protector.so.sarif | 20 ++++++------- .../Expected/gcc.unfortified.sarif | 20 ++++++------- 98 files changed, 862 insertions(+), 862 deletions(-) diff --git a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs index 6fba42eb7..137bbb018 100644 --- a/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs +++ b/src/BinSkim.Rules/ELFRules/BA3006.EnableNonExecutableStack.cs @@ -68,7 +68,7 @@ public override void Analyze(BinaryAnalyzerContext context) return; } - // The enable non-executable stack flag was present, so '{0}' is protected. + // The non-executable stack flag was present, so '{0}' is protected. context.Logger.Log(this, RuleUtilities.BuildResult(ResultKind.Pass, context, null, nameof(RuleResources.BA3006_Pass), diff --git a/src/BinSkim.Rules/RuleResources.Designer.cs b/src/BinSkim.Rules/RuleResources.Designer.cs index e51aaacb2..9fdbebaa0 100644 --- a/src/BinSkim.Rules/RuleResources.Designer.cs +++ b/src/BinSkim.Rules/RuleResources.Designer.cs @@ -133,7 +133,7 @@ internal static string BA2004_Error_Managed { } /// - /// Looks up a localized string similar to '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: + /// Looks up a localized string similar to '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. /// internal static string BA2004_Error_NativeWithInsecureDirectCompilands { @@ -152,7 +152,7 @@ internal static string BA2004_Pass { } /// - /// Looks up a localized string similar to '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: + /// Looks up a localized string similar to '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: ///{1}. /// internal static string BA2004_Warning_NativeWithInsecureStaticLibraryCompilands { @@ -270,7 +270,7 @@ internal static string BA2007_EnableCriticalCompilerWarnings_Description { } /// - /// Looks up a localized string similar to '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} + /// Looks up a localized string similar to '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} ///Modules triggering this check: {3}. /// internal static string BA2007_Error_InsufficientWarningLevel { @@ -289,8 +289,8 @@ internal static string BA2007_Error_UnknownModuleLanguage { } /// - /// Looks up a localized string similar to '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} - ///Modules tri [rest of string was truncated]";. + /// Looks up a localized string similar to '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} + ///Modules tr [rest of string was truncated]";. /// internal static string BA2007_Error_WarningsDisabled { get { @@ -884,7 +884,7 @@ internal static string BA2024_Warning_DeprecatedMitigationEnabled { } /// - /// Looks up a localized string similar to The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: + /// Looks up a localized string similar to The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: ///{0}. /// internal static string BA2024_Warning_MasmModulesDetected { @@ -894,7 +894,7 @@ internal static string BA2024_Warning_MasmModulesDetected { } /// - /// Looks up a localized string similar to The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: + /// Looks up a localized string similar to The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: ///{0}. /// internal static string BA2024_Warning_OptimizationsDisabled { @@ -904,7 +904,7 @@ internal static string BA2024_Warning_OptimizationsDisabled { } /// - /// Looks up a localized string similar to The following modules were compiled with Spectre mitigations explicitly disabled: + /// Looks up a localized string similar to The following modules were compiled with Spectre mitigations explicitly disabled: ///{0}. /// internal static string BA2024_Warning_SpectreMitigationExplicitlyDisabled { @@ -914,7 +914,7 @@ internal static string BA2024_Warning_SpectreMitigationExplicitlyDisabled { } /// - /// Looks up a localized string similar to The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: + /// Looks up a localized string similar to The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: ///{0}. /// internal static string BA2024_Warning_SpectreMitigationNotEnabled { @@ -1122,7 +1122,7 @@ internal static string BA3006_Error { } /// - /// Looks up a localized string similar to The enable non-executable stack flag was present, so '{0}' is protected.. + /// Looks up a localized string similar to The non-executable stack flag was present, so '{0}' is protected.. /// internal static string BA3006_Pass { get { @@ -1266,7 +1266,7 @@ internal static string NotApplicable_PlatformUnsupported { } /// - /// Looks up a localized string similar to Could not locate the PDB for '{0}'. Probing details: + /// Looks up a localized string similar to Could not locate the PDB for '{0}'. Probing details: ///{1}. /// internal static string PdbLoadFailed { @@ -1276,7 +1276,7 @@ internal static string PdbLoadFailed { } /// - /// Looks up a localized string similar to The PDB for '{0}' was found and loaded. Probing details: + /// Looks up a localized string similar to The PDB for '{0}' was found and loaded. Probing details: ///{1}. /// internal static string PdbLoadSucceeded { diff --git a/src/BinSkim.Rules/RuleResources.resx b/src/BinSkim.Rules/RuleResources.resx index 6f2e7a8d9..49c25065f 100644 --- a/src/BinSkim.Rules/RuleResources.resx +++ b/src/BinSkim.Rules/RuleResources.resx @@ -154,7 +154,7 @@ Application code should be compiled with the most up-to-date tool sets possible to take advantage of the most current compile-time security features. Among other things, these features provide address space layout randomization, help prevent arbitrary code execution, and enable code generation that can help prevent speculative execution side-channel attacks. - '{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: + '{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: {2} @@ -167,15 +167,15 @@ Binaries should be compiled with a warning level that enables all critical security-relevant checks. Enabling at least warning level 3 enables important static analysis in the compiler that can identify bugs with a potential to provoke memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. - '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} + '{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2} Modules triggering this check: {3} '{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1} - '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} -Modules triggering this check were: + '{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1} +Modules triggering this check were: {2} @@ -362,23 +362,23 @@ Modules triggering this check were: Application code should be compiled with the Spectre mitigations switch (/Qspectre) and toolsets that support it. - '{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. + '{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. {1} - The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: + The following MASM modules were detected. The MASM compiler does not currently mitigate against speculative execution attacks: {0} - The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: + The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations: {0} - The following modules were compiled with Spectre mitigations explicitly disabled: + The following modules were compiled with Spectre mitigations explicitly disabled: {0} - The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: + The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line: {0} @@ -466,11 +466,11 @@ Modules triggering this check were: '{0}' was not evaluated for check '{1}' because its PDB could not be loaded ({2}). - Could not locate the PDB for '{0}'. Probing details: + Could not locate the PDB for '{0}'. Probing details: {1} - The PDB for '{0}' was found and loaded. Probing details: + The PDB for '{0}' was found and loaded. Probing details: {1} @@ -480,14 +480,14 @@ Modules triggering this check were: '{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm. - '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: + '{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: {1} Compilers can generate and store checksums of source files in order to provide linkage between binaries, their PDBs, and associated source code. This information is typically used to resolve source file when debugging but it can also be used to verify that a specific body of source code is, in fact, the code that was used to produce a specific set of binaries and PDBs. This validation is helpful in verifying supply chain integrity. Due to this security focus, it is important that the hashing algorithm used to produce checksums is secure. Legacy hashing algorithms, such as MD5 and SHA-1, have been demonstrated to be broken by modern hardware (that is, it is computationally feasible to force hash collisions, in which a common hash is generated from distinct files). Using a secure hashing algorithm, such as SHA-256, prevents the possibility of collision attacks, in which the checksum of a malicious file is used to produce a hash that satisfies the system that it is, in fact, the original file processed by the compiler. For managed binaries, pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the '<ChecksumAlgorithm>' project property with 'SHA256' to enable secure source code hashing. For native binaries, pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. - '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: + '{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: {1} @@ -533,6 +533,6 @@ Modules triggering this check were: The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this. - The enable non-executable stack flag was present, so '{0}' is protected. + The non-executable stack flag was present, so '{0}' is protected. \ No newline at end of file diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif index 8159e665c..1c25501e3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x64.ni.dll.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -780,7 +780,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -811,10 +811,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1035,16 +1035,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1204,7 +1204,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif index ab41f3e6c..2e685899c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/BinSkim.win-x86.ni.dll.sarif @@ -778,13 +778,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -803,7 +803,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -834,10 +834,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1005,16 +1005,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1174,7 +1174,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif index a3ff66b5e..360528386 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.linux-x64.dll.sarif @@ -759,7 +759,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -790,10 +790,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1073,16 +1073,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1242,7 +1242,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif index a46b0a87f..4d999ddfd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.RTR.dll.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -780,7 +780,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -811,10 +811,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1035,16 +1035,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1204,7 +1204,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif index be5742eb7..6def4d0a9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x64.dll.sarif @@ -759,7 +759,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -790,10 +790,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1073,16 +1073,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1242,7 +1242,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif index 317978922..c541e7b35 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.RTR.dll.sarif @@ -778,13 +778,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -803,7 +803,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -834,10 +834,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1005,16 +1005,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1174,7 +1174,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif index 3b3e85240..44cbacd5c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Binskim.win-x86.dll.sarif @@ -755,7 +755,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -786,10 +786,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1016,16 +1016,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1185,7 +1185,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif index 914a70b38..743822744 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_linux-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1265,7 +1265,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif index d313e004b..380aefc25 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1265,7 +1265,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif index 7a34b118d..31a9ad1f3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_RTR_win-x86_VS2019_Default.dll.sarif @@ -778,7 +778,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -809,10 +809,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1039,16 +1039,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1208,7 +1208,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1305,13 +1305,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif index 1c569a368..4aa70fa2e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_linux-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1265,7 +1265,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif index 934ab47a4..28da64ee4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.dll.sarif @@ -782,7 +782,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -813,10 +813,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1096,16 +1096,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1265,7 +1265,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1362,13 +1362,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif index ebd51f61b..f5b7a1e1a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x64_VS2019_Default.exe.sarif @@ -751,13 +751,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -776,7 +776,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -807,10 +807,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -972,16 +972,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1141,7 +1141,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif index 5f7b0bc6a..68f21fd81 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/DotNetCore_win-x86_VS2019_Default.dll.sarif @@ -778,7 +778,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -809,10 +809,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1039,16 +1039,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1208,7 +1208,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1305,13 +1305,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif index f0da911aa..2b76ec819 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedInteropAssemblyForAtlTestLibrary.dll.sarif @@ -755,7 +755,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -786,10 +786,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1016,16 +1016,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1185,7 +1185,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif index cc49edd7d..78640822c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/ManagedResourcesOnly.dll.sarif @@ -758,7 +758,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -789,10 +789,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1072,16 +1072,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1241,7 +1241,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif index 400073c4a..8003def4b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_NoPrefer32Bit.exe.sarif @@ -772,7 +772,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -803,10 +803,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1002,16 +1002,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1171,7 +1171,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1268,13 +1268,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif index 71fbeb981..e58426b37 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_AnyCPU_VS2017_Prefer32Bit.exe.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1205,7 +1205,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif index ac2a4459b..c68b411e4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x64_VS2015_FSharp.exe.sarif @@ -777,7 +777,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -808,10 +808,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1060,16 +1060,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1229,7 +1229,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1326,13 +1326,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif index c9060e047..cf094605f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2013_Wpf.exe.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1205,7 +1205,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif index 419e1c709..a9c7d2284 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Managed_x86_VS2015_FSharp.dll.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1205,7 +1205,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif index c5f161dc6..a66e71123 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_Default.dll.sarif @@ -958,7 +958,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1105,13 +1105,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1158,7 +1158,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1189,10 +1189,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1472,16 +1472,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif index 77c71880b..ba06ca1f7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2013_NoPdb.exe.sarif @@ -706,7 +706,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif index 7ca0bb516..8c2601351 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x64_VS2015_Default.exe.sarif @@ -925,7 +925,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1072,13 +1072,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1125,7 +1125,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1156,10 +1156,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1470,16 +1470,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif index e2d8f5a10..80a9de3fc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_Default.exe.sarif @@ -894,7 +894,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1016,13 +1016,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1069,7 +1069,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1100,10 +1100,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif index 8f046ea73..4afda1558 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2013_MissingPdb.dll.sarif @@ -709,7 +709,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif index 25b5be9de..89b67ceae 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/MixedMode_x86_VS2015_Default.exe.sarif @@ -894,7 +894,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1016,13 +1016,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1069,7 +1069,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1100,10 +1100,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif index 4f9d1594d..97fec65e8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_ARM_VS2015_CvtresResourceOnly.dll.sarif @@ -757,7 +757,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -788,10 +788,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1046,16 +1046,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1215,7 +1215,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif index 7d45783f8..fffd60415 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2013_Default.dll.sarif @@ -958,7 +958,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1105,13 +1105,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1158,7 +1158,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1189,10 +1189,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1472,16 +1472,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif index 261e05dd4..b110136fa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_CvtresResourceOnly.dll.sarif @@ -757,7 +757,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -788,10 +788,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1046,16 +1046,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1215,7 +1215,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif index fc0236f7a..8c5af28d9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2015_Default.dll.sarif @@ -927,7 +927,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1074,13 +1074,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1127,7 +1127,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1158,10 +1158,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1469,16 +1469,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif index e2f51ad25..93dbcb1c3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x64_VS2019_Atl_NoPdbGenerated.dll.sarif @@ -708,7 +708,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif index 1fabbdfc2..58e369144 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_Default.exe.sarif @@ -928,7 +928,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1050,13 +1050,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1103,7 +1103,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1134,10 +1134,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1470,16 +1470,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif index b0151cfca..9dbb502eb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_PdbMissing.exe.sarif @@ -709,7 +709,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif index 71ddf7979..49841003c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2013_ResourceOnly.dll.sarif @@ -780,7 +780,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -811,10 +811,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1069,16 +1069,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1238,7 +1238,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1335,13 +1335,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif index 3591e2074..d6b6802fd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_AtlProxyStubPS.dll.sarif @@ -898,7 +898,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1020,13 +1020,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1073,7 +1073,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1104,10 +1104,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1468,16 +1468,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif index f902ac38a..1cf2fdd9b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_CvtresResourceOnly.dll.sarif @@ -757,7 +757,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -788,10 +788,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1046,16 +1046,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1215,7 +1215,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif index 449ad8313..0b9ef430f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default.exe.sarif @@ -897,7 +897,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1019,13 +1019,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1072,7 +1072,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1103,10 +1103,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif index c6f731569..3dcfef325 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2015_Default_Debug.dll.sarif @@ -897,7 +897,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1019,13 +1019,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1072,7 +1072,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1103,10 +1103,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1467,16 +1467,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif index 4c2d99ad0..5c88908b6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Native_x86_VS2017_15.5.4_PdbStripped.dll.sarif @@ -679,7 +679,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif index f73d94833..3cc6eb9d3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM64_VS2019_Cpp.dll.sarif @@ -817,16 +817,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -986,7 +986,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1133,13 +1133,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1186,7 +1186,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1217,10 +1217,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif index df8588121..5c66247dc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.dll.sarif @@ -931,7 +931,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif index 4669fd17b..9784cbcf9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2015_DefaultBlankApp.exe.sarif @@ -739,7 +739,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif index 9ae72639b..0b1a61678 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_ARM_VS2017_VB.dll.sarif @@ -777,7 +777,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -808,10 +808,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1066,16 +1066,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1235,7 +1235,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1332,13 +1332,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif index a85e26e6f..c90f3a2b5 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_AnyCpu_VS2019_Vb_ClassLibrary.dll.sarif @@ -775,7 +775,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -806,10 +806,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1036,16 +1036,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1205,7 +1205,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1302,13 +1302,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif index 905189c31..b1dd84289 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.dll.sarif @@ -931,7 +931,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif index bfe5acc5f..4f122f1af 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2015_DefaultBlankApp.exe.sarif @@ -706,7 +706,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif index e1ec82f1d..1fe7eacd3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2017_Cpp.dll.sarif @@ -787,16 +787,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -956,7 +956,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1078,13 +1078,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1131,7 +1131,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1162,10 +1162,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif index 921e66202..f0ccb7f7a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x64_VS2019_Cpp_DirectX12.exe.sarif @@ -784,16 +784,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -953,7 +953,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1100,13 +1100,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1153,7 +1153,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1184,10 +1184,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif index 862b39010..366d60c1e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.dll.sarif @@ -901,7 +901,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif index b765c05aa..c8b20d4ee 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2015_DefaultBlankApp.exe.sarif @@ -709,7 +709,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif index 3d668e4d5..37b88ffe8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Uwp_x86_VS2017_Cpp_DirectX11.exe.sarif @@ -787,16 +787,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -956,7 +956,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." @@ -1078,13 +1078,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -1131,7 +1131,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -1162,10 +1162,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif index 264009b58..a0964fb1b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/Wix_3.11.1_VS2017_Bootstrapper.exe.sarif @@ -778,13 +778,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -803,7 +803,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -834,10 +834,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1005,16 +1005,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1174,7 +1174,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif index d789dee1f..0d6e293de 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.default_compilation.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1409,7 +1409,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif index a05ce70f9..c485ef311 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1407,7 +1407,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif index 33584bf43..ffbce6bbf 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.execstack.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1408,7 +1408,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif index 3b81ca244..0d41fb564 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.immediate_binding.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1410,7 +1410,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif index 626ef2b9b..9098e121c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_immediate_binding.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1409,7 +1409,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif index 031290e0a..7847c7c9e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.no_stack_protector.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1409,7 +1409,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif index 0a4a610fa..97352be34 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1409,7 +1409,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif index aa084c70a..ff5e58cad 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.noexecstack.so.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1410,7 +1410,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif index 34a0abed9..8abe02fcb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.non_pie_executable.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1409,7 +1409,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif index 56c2d3fc6..faee1df38 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.object_file.o.sarif @@ -770,13 +770,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -823,7 +823,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -854,10 +854,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1249,16 +1249,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1396,7 +1396,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif index 393765e5c..975e29130 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.pie_executable.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1410,7 +1410,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif index 711ec9bef..1193d56ef 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsro.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1409,7 +1409,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif index 0ecd27851..8438a8399 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.relocationsrw.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1408,7 +1408,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif index 7ca947325..2231c4c3e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.shared_library.so.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1410,7 +1410,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif index fac12110d..1875ec1e9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.sarif @@ -756,13 +756,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -809,7 +809,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -840,10 +840,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1235,16 +1235,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1410,7 +1410,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif index f85a18d37..0626f6178 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/clang.stack_protector.so.sarif @@ -757,13 +757,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -810,7 +810,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -841,10 +841,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1236,16 +1236,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1411,7 +1411,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif index 5c5f06a2e..0c39b0e49 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.default_compilation.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif index 419a51121..20b2b713a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.sarif @@ -751,13 +751,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -804,7 +804,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -835,10 +835,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1230,16 +1230,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1377,7 +1377,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif index 963b58f26..9bdf442d4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.execstack.so.sarif @@ -752,13 +752,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -805,7 +805,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -836,10 +836,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1231,16 +1231,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1378,7 +1378,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif index 287bfd7c4..97a63e147 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.fortified.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif index afc18d819..5122ecbeb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif @@ -774,13 +774,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -827,7 +827,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -858,10 +858,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1253,16 +1253,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1422,7 +1422,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif index da61c20b5..fbec914c7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif @@ -775,13 +775,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -828,7 +828,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -859,10 +859,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1254,16 +1254,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1423,7 +1423,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif index 9514f0864..68457260c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.execstack.5.o.sarif @@ -774,13 +774,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -827,7 +827,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -858,10 +858,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1253,16 +1253,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1422,7 +1422,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif index 21cecee2e..d3e86a236 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.nodwarf.sarif @@ -755,13 +755,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -808,7 +808,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -839,10 +839,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1234,16 +1234,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1381,7 +1381,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif index 2ce56573e..76429894e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.helloworld.noexecstack.5.o.sarif @@ -776,13 +776,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -829,7 +829,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -860,10 +860,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1255,16 +1255,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1424,7 +1424,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif index 7d336b11b..5c3d4c167 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.immediate_binding.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif index 3bd83fc67..89fd11a91 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_fortification_required.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif index 230bd2807..e43425bdc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_immediate_binding.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif index 4eb0c5565..973fa8f68 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.no_stack_protector.sarif @@ -752,13 +752,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -805,7 +805,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -836,10 +836,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1231,16 +1231,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1378,7 +1378,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif index eea48a014..23d04355c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif index ec35c7917..636856948 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.noexecstack.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif index 22237bd95..de8f5118f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.non_pie_executable.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif index 3644fe84e..6bd17548f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.object_file.o.sarif @@ -770,13 +770,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -823,7 +823,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -854,10 +854,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1249,16 +1249,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1396,7 +1396,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif index 2827f1a5c..e7c1b1335 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.pie_executable.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif index b1702b658..073260be7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsro.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif index 972c60597..f19de591e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.relocationsrw.sarif @@ -752,13 +752,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -805,7 +805,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -836,10 +836,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1231,16 +1231,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1378,7 +1378,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif index d366a7de8..8de5b3d49 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.4.o.sarif @@ -775,13 +775,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -828,7 +828,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -859,10 +859,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1254,16 +1254,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1423,7 +1423,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif index 668637054..7a8ad4c2c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.requiredsymbol.5.o.sarif @@ -776,13 +776,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -829,7 +829,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -860,10 +860,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1255,16 +1255,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1424,7 +1424,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif index f62ec6d38..767ee6f0f 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.shared_library.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif index cc33acbb6..af97f8abc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif index 6ee0cb96e..51daf6c22 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.stack_protector.so.sarif @@ -754,13 +754,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -807,7 +807,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -838,10 +838,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1233,16 +1233,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1380,7 +1380,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this." diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif index bc1524d17..40c1d0f57 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestsData/Expected/gcc.unfortified.sarif @@ -753,13 +753,13 @@ "text": "'{0}' is a {1} binary which was compiled with a secure (SHA-256) source code hashing algorithm." }, "Warning_NativeWithInsecureStaticLibraryCompilands": { - "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that links one or more static libraries that include object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "Error_Managed": { "text": "'{0}' is a managed binary compiled with an insecure (SHA-1) source code hashing algorithm. SHA-1 is subject to collision attacks and its use can compromise supply chain integrity. Pass '-checksumalgorithm:SHA256' on the csc.exe command-line or populate the project property with 'SHA256' to enable secure source code hashing." }, "Error_NativeWithInsecureDirectCompilands": { - "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\n{1}" + "text": "'{0}' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:\r\n{1}" }, "NotApplicable_InvalidMetadata": { "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." @@ -806,7 +806,7 @@ }, "messageStrings": { "Error": { - "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \n{2}" + "text": "'{0}' was compiled with one or more modules which were not built using minimum required tool versions (compiler version {1}). More recent toolchains contain mitigations that make it more difficult for an attacker to exploit vulnerabilities in programs they produce. To resolve this issue, compile and/or link your binary with more recent tools. If you are servicing a product where the tool chain cannot be modified (e.g. producing a hotfix for an already shipped version) ignore this warning. Modules built outside of policy: \r\n{2}" }, "Error_BadModule": { "text": "built with {0} compiler version {1} (Front end version {2})" @@ -837,10 +837,10 @@ "text": "'{0}' was compiled at a secure warning level ({1}) and does not include any modules that disable specific warnings that are required by policy. As a result, it is less likely that memory corruption, information disclosure, double-free and other security-related vulnerabilities exist in code." }, "Error_WarningsDisabled": { - "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\nModules triggering this check were:\n{2}" + "text": "'{0}' disables compiler warning(s) which are required by policy. A compiler warning is typically required if it has a high likelihood of flagging memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, enable the indicated warning(s) by removing /Wxxxx switches (where xxxx is a warning id indicated here) from your command line, and resolve any warnings subsequently raised during compilation. An example compiler command line triggering this check was: {1}\r\nModules triggering this check were:\r\n{2}" }, "Error_InsufficientWarningLevel": { - "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\nModules triggering this check: {3}" + "text": "'{0}' was compiled at too low a warning level (effective warning level {1} for one or more modules). Warning level 3 enables important static analysis in the compiler to flag bugs that can lead to memory corruption, information disclosure, or double-free vulnerabilities. To resolve this issue, compile at warning level 3 or higher by supplying /W3, /W4, or /Wall to the compiler, and resolve the warnings emitted. An example compiler command line triggering this check: {2}\r\nModules triggering this check: {3}" }, "Error_UnknownModuleLanguage": { "text": "'{0}' contains code from an unknown language, preventing a comprehensive analysis of the compiler warning settings. The language could not be identified for the following modules: {1}" @@ -1232,16 +1232,16 @@ }, "messageStrings": { "Warning": { - "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\n{1}" + "text": "'{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.\r\n{1}" }, "Warning_OptimizationsDisabled": { - "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\n{0}" + "text": "The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:\r\n{0}" }, "Warning_SpectreMitigationNotEnabled": { - "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\n{0}" + "text": "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\n{0}" }, "Warning_SpectreMitigationExplicitlyDisabled": { - "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\n{0}" + "text": "The following modules were compiled with Spectre mitigations explicitly disabled:\r\n{0}" }, "Pass": { "text": "All linked modules '{0}' were compiled with mitigations enabled that help prevent Spectre (speculative execution side-channel attack) vulnerabilities." @@ -1379,7 +1379,7 @@ }, "messageStrings": { "Pass": { - "text": "The enable non-executable stack flag was present, so '{0}' is protected." + "text": "The non-executable stack flag was present, so '{0}' is protected." }, "Error": { "text": "The non-executable stack is not enabled for this binary, so '{0}' can have a vulnerability of execution of the data written on the stack. Ensure you are compiling with the flag '-z noexecstack' to address this."