diff --git a/docs/BinSkimRules.md b/docs/BinSkimRules.md index 80fb1f0f5..af5812c78 100644 --- a/docs/BinSkimRules.md +++ b/docs/BinSkimRules.md @@ -196,7 +196,7 @@ The BIND_NOW flag is missing from this binary, so relocation sections in '{0}' w --- -## Rule `BA3030.UseCheckedFunctionsWithGcc` +## Rule `BA3030.UseGccCheckedFunctions` ### Description @@ -226,6 +226,32 @@ No checked functions are present/used when compiling '{0}', and it was compiled --- +## Rule `BA3031.EnableClangSafeStack` + +### Description + +The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. + +### Messages + +#### `Pass`: Pass + +'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows. + +#### `Error`: Error + +'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. + +#### `ClangVersionMayNeedUpgrade`: Error + +'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it. + +#### `InvalidMetadata`: NotApplicable + +'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}. + +--- + ## Rule `BA5001.EnablePositionIndependentExecutableMachO` ### Description diff --git a/docs/FunctionalTestBuildScripts.md b/docs/FunctionalTestBuildScripts.md index 8b320bbfe..2049a6ff9 100644 --- a/docs/FunctionalTestBuildScripts.md +++ b/docs/FunctionalTestBuildScripts.md @@ -4,6 +4,52 @@ This file records scripts used to compile the test files, in alphabetical order. Base scenario is a simple hello world program built with different parameters for testing purpose. Test files are located in [BaselineTestData](https://github.com/microsoft/binskim/tree/main/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData) and [FunctionalTestData](https://github.com/microsoft/binskim/tree/main/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData). +## ARM_CETShadowStack_NotApplicable.exe + +A simple C++ hellow world program, cross compiled using CMake with the `cl.exe` compiler and `Ninja` generator. +`CMakePresets.json` should be configured with a `configurePresets` as below: + +```json +{ + "name": "arm-release", + "displayName": "ARM Release", + "inherits": "windows-base", + "architecture": { + "value": "arm", + "strategy": "external" + }, + "cacheVariables": { + "CMAKE_BUILD_TYPE": "RelWithDebInfo" + } +}, +``` + +## ARM64_CETShadowStack_NotApplicable.exe + +A simple C++ hellow world program, cross compiled using CMake using the `cl.exe` compiler and `Ninja` generator. +`CMakePresets.json` should be configured with a `configurePresets` as below: + +```json +{ + "name": "arm64-release", + "displayName": "ARM64 Release", + "inherits": "windows-base", + "architecture": { + "value": "arm64", + "strategy": "external" + }, + "cacheVariables": { + "CMAKE_BUILD_TYPE": "RelWithDebInfo" + } +}, +``` + +## clang.[version].elf.[c,cpp].[no_]safe_stack + +A simple hello world C/C++ program, compiled with different `clang [version]` that generates a executable file. Script to reproduce: +`clang++-14 -Wall hellocpp.cpp -O2 -g -gdwarf-5 -o clang.14.elf.cpp.no_safe_stack` +`clang-7 -Wall helloc.c -O2 -g -gdwarf-5 -o clang.7.elf.c.safe_stack -fsanitize=safe-stack` + ## clang.object_file.dwarf.3.o A simple hello world program, compiled with `clang 10.0.0` that generates a .o object file. Script to reproduce: @@ -47,40 +93,3 @@ Also create two user functions `userfn_use_safebuffers_1()` and `userfn_use_safe A simple `Windows Kernel Mode Driver` program, created with `Visual Studio 2019` that generates a .exe and associated .pdb file. Code to reproduce: Use `NTSTATUS GsDriverEntry(_In_ PDRIVER_OBJECT DriverObject, _In_ PUNICODE_STRING RegistryPath)` as entry point and do not decorated with `__declspec(safebuffers)`. No user functions decorated with `__declspec(safebuffers)`. - -## ARM64_CETShadowStack_NotApplicable.exe -A simple C++ hellow world program, cross compiled using CMake using the `cl.exe` compiler and `Ninja` generator. -`CMakePresets.json` should be configured with a `configurePresets` as below: -``` -{ - "name": "arm64-release", - "displayName": "ARM64 Release", - "inherits": "windows-base", - "architecture": { - "value": "arm64", - "strategy": "external" - }, - "cacheVariables": { - "CMAKE_BUILD_TYPE": "RelWithDebInfo" - } -}, -``` - -## ARM_CETShadowStack_NotApplicable.exe - -A simple C++ hellow world program, cross compiled using CMake with the `cl.exe` compiler and `Ninja` generator. -`CMakePresets.json` should be configured with a `configurePresets` as below: -``` -{ - "name": "arm-release", - "displayName": "ARM Release", - "inherits": "windows-base", - "architecture": { - "value": "arm", - "strategy": "external" - }, - "cacheVariables": { - "CMAKE_BUILD_TYPE": "RelWithDebInfo" - } -}, -``` \ No newline at end of file diff --git a/src/BinSkim.Rules/ElfRules/BA3001.EnablePositionIndependentExecutable.cs b/src/BinSkim.Rules/ElfRules/BA3001.EnablePositionIndependentExecutable.cs index 3bf9faa71..e7b69e230 100644 --- a/src/BinSkim.Rules/ElfRules/BA3001.EnablePositionIndependentExecutable.cs +++ b/src/BinSkim.Rules/ElfRules/BA3001.EnablePositionIndependentExecutable.cs @@ -43,7 +43,7 @@ public override AnalysisApplicability CanAnalyzeElf(ElfBinary target, Sarif.Prop if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { - reasonForNotAnalyzing = reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; + reasonForNotAnalyzing = reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrRelocatable; return AnalysisApplicability.NotApplicableToSpecifiedTarget; } diff --git a/src/BinSkim.Rules/ElfRules/BA3002.DoNotMarkStackAsExecutable.cs b/src/BinSkim.Rules/ElfRules/BA3002.DoNotMarkStackAsExecutable.cs index e190365b9..58e6da980 100644 --- a/src/BinSkim.Rules/ElfRules/BA3002.DoNotMarkStackAsExecutable.cs +++ b/src/BinSkim.Rules/ElfRules/BA3002.DoNotMarkStackAsExecutable.cs @@ -46,7 +46,7 @@ public override AnalysisApplicability CanAnalyzeElf(ElfBinary target, Sarif.Prop if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { - reasonForNotAnalyzing = reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; + reasonForNotAnalyzing = reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrRelocatable; return AnalysisApplicability.NotApplicableToSpecifiedTarget; } diff --git a/src/BinSkim.Rules/ElfRules/BA3010.EnableReadOnlyRelocations.cs b/src/BinSkim.Rules/ElfRules/BA3010.EnableReadOnlyRelocations.cs index 8d82b1e41..ff7176828 100644 --- a/src/BinSkim.Rules/ElfRules/BA3010.EnableReadOnlyRelocations.cs +++ b/src/BinSkim.Rules/ElfRules/BA3010.EnableReadOnlyRelocations.cs @@ -43,7 +43,7 @@ public override AnalysisApplicability CanAnalyzeElf(ElfBinary target, Sarif.Prop if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { - reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; + reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrRelocatable; return AnalysisApplicability.NotApplicableToSpecifiedTarget; } diff --git a/src/BinSkim.Rules/ElfRules/BA3011.EnableBindNow.cs b/src/BinSkim.Rules/ElfRules/BA3011.EnableBindNow.cs index affced1c6..14e5964e7 100644 --- a/src/BinSkim.Rules/ElfRules/BA3011.EnableBindNow.cs +++ b/src/BinSkim.Rules/ElfRules/BA3011.EnableBindNow.cs @@ -46,7 +46,7 @@ public override AnalysisApplicability CanAnalyzeElf(ElfBinary target, Properties if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { - reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; + reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrRelocatable; return AnalysisApplicability.NotApplicableToSpecifiedTarget; } diff --git a/src/BinSkim.Rules/ElfRules/BA3030.UseCheckedFunctionsWithGCC.cs b/src/BinSkim.Rules/ElfRules/BA3030.UseGccCheckedFunctions.cs similarity index 97% rename from src/BinSkim.Rules/ElfRules/BA3030.UseCheckedFunctionsWithGCC.cs rename to src/BinSkim.Rules/ElfRules/BA3030.UseGccCheckedFunctions.cs index 61d243f24..5069c3b15 100644 --- a/src/BinSkim.Rules/ElfRules/BA3030.UseCheckedFunctionsWithGCC.cs +++ b/src/BinSkim.Rules/ElfRules/BA3030.UseGccCheckedFunctions.cs @@ -16,7 +16,7 @@ namespace Microsoft.CodeAnalysis.IL.Rules { [Export(typeof(Skimmer)), Export(typeof(ReportingDescriptor))] - public class UseCheckedFunctionsWithGcc : ElfBinarySkimmer + public class UseGccCheckedFunctions : ElfBinarySkimmer { // This list comes from listing all of the functions available in glibc (using readelf), // then filtering to ones with a checked variant (_*_chk). @@ -102,7 +102,7 @@ public class UseCheckedFunctionsWithGcc : ElfBinarySkimmer /// /// BA3030 /// - public override string Id => RuleIds.UseCheckedFunctionsWithGcc; + public override string Id => RuleIds.UseGccCheckedFunctions; /// /// The stack protector ensures that all functions that use buffers over a certain size will @@ -110,7 +110,7 @@ public class UseCheckedFunctionsWithGcc : ElfBinarySkimmer // smashing is detected.Use '--fstack-protector-strong' (all buffers of 4 bytes or more) or // '--fstack-protector-all' (all functions) to enable this. /// - public override MultiformatMessageString FullDescription => new MultiformatMessageString { Text = RuleResources.BA3030_UseCheckedFunctionsWithGcc_Description }; + public override MultiformatMessageString FullDescription => new MultiformatMessageString { Text = RuleResources.BA3030_UseGccCheckedFunctions_Description }; protected override IEnumerable MessageResourceNames => new string[] { nameof(RuleResources.BA3030_Pass_AllFunctionsChecked), @@ -126,7 +126,7 @@ public override AnalysisApplicability CanAnalyzeElf(ElfBinary target, Sarif.Prop if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) { - reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrObject; + reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrRelocatable; return AnalysisApplicability.NotApplicableToSpecifiedTarget; } diff --git a/src/BinSkim.Rules/ElfRules/BA3031.EnableClangSafeStack.cs b/src/BinSkim.Rules/ElfRules/BA3031.EnableClangSafeStack.cs new file mode 100644 index 000000000..74dcf597e --- /dev/null +++ b/src/BinSkim.Rules/ElfRules/BA3031.EnableClangSafeStack.cs @@ -0,0 +1,104 @@ +// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Collections.Generic; +using System.Composition; +using System.Linq; + +using ELFSharp.ELF; +using ELFSharp.ELF.Sections; + +using Microsoft.CodeAnalysis.BinaryParsers; +using Microsoft.CodeAnalysis.IL.Sdk; +using Microsoft.CodeAnalysis.Sarif; +using Microsoft.CodeAnalysis.Sarif.Driver; + +namespace Microsoft.CodeAnalysis.IL.Rules +{ + [Export(typeof(Skimmer)), Export(typeof(ReportingDescriptor))] + public class EnableClangSafeStack : ElfBinarySkimmer + { + // Symbol is the same for both C and C++, despite the "cpp" or "cc" in file name. + // Clang V7 - V9: "safestack.cc.o" + // Clang V10 - V14: "safestack.cpp.o" + private static readonly string[] symbolSafeStack = new string[] { "safestack.cpp.o", "safestack.cc.o" }; + + /// + /// BA3031 + /// + public override string Id => RuleIds.EnableClangSafeStack; + + /// + /// The SafeStack instrumentation pass protects programs by implementing two separate program stacks, + /// one for return addresses and local variables, and the other for everything else. + /// To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. + /// + public override MultiformatMessageString FullDescription => new MultiformatMessageString { Text = RuleResources.BA3031_EnableClangSafeStack_Description }; + + protected override IEnumerable MessageResourceNames => new string[] { + nameof(RuleResources.BA3031_Pass), + nameof(RuleResources.BA3031_Error), + nameof(RuleResources.BA3031_Error_ClangVersionMayNeedUpgrade), + nameof(RuleResources.NotApplicable_InvalidMetadata) + }; + + public override AnalysisApplicability CanAnalyzeElf(ElfBinary target, Sarif.PropertiesDictionary policy, out string reasonForNotAnalyzing) + { + IELF elf = target.ELF; + + if (elf.Type == FileType.Core || elf.Type == FileType.None || elf.Type == FileType.Relocatable) + { + reasonForNotAnalyzing = MetadataConditions.ElfIsCoreNoneOrRelocatable; + return AnalysisApplicability.NotApplicableToSpecifiedTarget; + } + + if (!target.Compilers.Any(c => c.Compiler == ElfCompilerType.Clang)) + { + reasonForNotAnalyzing = MetadataConditions.ElfNotBuiltWithClang; + return AnalysisApplicability.NotApplicableToSpecifiedTarget; + } + + reasonForNotAnalyzing = null; + return AnalysisApplicability.ApplicableToSpecifiedTarget; + } + + /// + /// Checks if SafeStack is enabled by Symbols. + /// + public override void Analyze(BinaryAnalyzerContext context) + { + IELF elf = context.ElfBinary().ELF; + + IEnumerable symbols = ElfUtility.GetAllSymbols(elf); + + foreach (ISymbolEntry symbol in symbols) + { + if (symbol.Type == SymbolType.File && symbolSafeStack.Contains(symbol.Name)) + { + context.Logger.Log(this, + RuleUtilities.BuildResult(ResultKind.Pass, context, null, + nameof(RuleResources.BA3031_Pass), + context.TargetUri.GetFileName())); + return; + } + } + + // SafeStack was first introduced in Clang 3.7.0 + // https://releases.llvm.org/3.7.0/tools/clang/docs/SafeStack.html + if (!context.ElfBinary().Compilers.Any(c => c.Compiler == ElfCompilerType.Clang && + (c.Version.Major >= 4 || (c.Version.Major == 3 && c.Version.Minor >= 7)))) + { + context.Logger.Log(this, + RuleUtilities.BuildResult(FailureLevel.Error, context, null, + nameof(RuleResources.BA3031_Error_ClangVersionMayNeedUpgrade), + context.TargetUri.GetFileName())); + return; + } + + context.Logger.Log(this, + RuleUtilities.BuildResult(FailureLevel.Error, context, null, + nameof(RuleResources.BA3031_Error), + context.TargetUri.GetFileName())); + } + } +} diff --git a/src/BinSkim.Rules/RuleIds.cs b/src/BinSkim.Rules/RuleIds.cs index 7ab17dd45..0458e8366 100644 --- a/src/BinSkim.Rules/RuleIds.cs +++ b/src/BinSkim.Rules/RuleIds.cs @@ -60,7 +60,8 @@ internal static class RuleIds // BA3012-3029 -- saved for future non-compiler/language specific checks. // Compiler/Language specific checks follow. - public const string UseCheckedFunctionsWithGcc = "BA3030"; + public const string UseGccCheckedFunctions = "BA3030"; + public const string EnableClangSafeStack = "BA3031"; // Reporting checks public const string ReportPortableExecutableCompilerData = "BA4001"; diff --git a/src/BinSkim.Rules/RuleResources.Designer.cs b/src/BinSkim.Rules/RuleResources.Designer.cs index 812215713..905e66256 100644 --- a/src/BinSkim.Rules/RuleResources.Designer.cs +++ b/src/BinSkim.Rules/RuleResources.Designer.cs @@ -1261,9 +1261,45 @@ internal static string BA3030_Pass_SomeFunctionsChecked { /// /// Looks up a localized string similar to GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2').. /// - internal static string BA3030_UseCheckedFunctionsWithGcc_Description { + internal static string BA3030_UseGccCheckedFunctions_Description { get { - return ResourceManager.GetString("BA3030_UseCheckedFunctionsWithGcc_Description", resourceCulture); + return ResourceManager.GetString("BA3030_UseGccCheckedFunctions_Description", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines.. + /// + internal static string BA3031_EnableClangSafeStack_Description { + get { + return ResourceManager.GetString("BA3031_EnableClangSafeStack_Description", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to '{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines.. + /// + internal static string BA3031_Error { + get { + return ResourceManager.GetString("BA3031_Error", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to '{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it.. + /// + internal static string BA3031_Error_ClangVersionMayNeedUpgrade { + get { + return ResourceManager.GetString("BA3031_Error_ClangVersionMayNeedUpgrade", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to '{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows.. + /// + internal static string BA3031_Pass { + get { + return ResourceManager.GetString("BA3031_Pass", resourceCulture); } } diff --git a/src/BinSkim.Rules/RuleResources.resx b/src/BinSkim.Rules/RuleResources.resx index f1c575c50..3d21e89e3 100644 --- a/src/BinSkim.Rules/RuleResources.resx +++ b/src/BinSkim.Rules/RuleResources.resx @@ -454,7 +454,7 @@ Modules did not meet the criteria: {1} Some checked functions were found in '{0}'; however, there were also some unchecked functions, which can occur when the compiler cannot statically determine the length of a buffer/string. We recommend reviewing your usage of functions like memcpy or strcpy. - + GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2'). @@ -573,4 +573,16 @@ Modules did not meet the criteria: {1} '{0}' was not evaluated because its PDB could not be loaded ({1}). + + The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. + + + '{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. + + + '{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows. + + + '{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it. + \ No newline at end of file diff --git a/src/BinSkim.Sdk/MetadataConditions.cs b/src/BinSkim.Sdk/MetadataConditions.cs index 7abb9c0e0..0232282ed 100644 --- a/src/BinSkim.Sdk/MetadataConditions.cs +++ b/src/BinSkim.Sdk/MetadataConditions.cs @@ -18,11 +18,11 @@ public static class MetadataConditions public static readonly string ImageIsBootBinary = SdkResources.MetadataCondition_ImageIsBootBinary; public static readonly string ImageIs64BitBinary = SdkResources.MetadataCondition_ImageIs64BitBinary; public static readonly string ElfNotBuiltWithGcc = SdkResources.MetadataCondition_ElfNotBuiltWithGCC; + public static readonly string ElfNotBuiltWithClang = SdkResources.MetadataCondition_ElfNotBuiltWithClang; public static readonly string ElfNotContainSegment = SdkResources.MetadataCondition_ElfNotContainSegment; public static readonly string ImageIsILOnlyAssembly = SdkResources.MetadataCondition_ImageIsILOnlyAssembly; public static readonly string ImageIsNot32BitBinary = SdkResources.MetadataCondition_ImageIsNot32BitBinary; public static readonly string ImageIsNot64BitBinary = SdkResources.MetadataCondition_ImageIsNot64BitBinary; - public static readonly string ElfIsCoreNoneOrObject = SdkResources.MetadataCondition_ElfIsCoreNoneOrObject; public static readonly string ImageIsArm64BitBinary = SdkResources.MetadataCondition_ImageIsArm64BitBinary; public static readonly string ImageIsInteropAssembly = SdkResources.MetadataCondition_ImageIsInteropAssembly; public static readonly string ImageIsMixedModeBinary = SdkResources.MetadataCondition_ImageIsMixedModeBinary; @@ -30,6 +30,7 @@ public static class MetadataConditions public static readonly string ImageIsILLibraryAssembly = SdkResources.MetadataCondition_ImageIsILLibraryAssembly; public static readonly string ImageIsResourceOnlyBinary = SdkResources.MetadataCondition_ImageIsResourceOnlyBinary; public static readonly string ImageIsDotNetNativeBinary = SdkResources.MetadataCondition_ImageIsDotNetNativeBinary; + public static readonly string ElfIsCoreNoneOrRelocatable = SdkResources.MetadataCondition_ElfIsCoreNoneOrRelocatable; public static readonly string ImageIsResourceOnlyAssembly = SdkResources.MetadataCondition_ImageIsResourceOnlyAssembly; public static readonly string ElfNotBuiltWithGccV8OrLater = SdkResources.MetadataCondition_ElfNotBuiltWithGccV8OrLater; public static readonly string ImageIsKernelModeAndNot64Bit = SdkResources.MetadataCondition_ImageIsKernelModeAndNot64Bit; diff --git a/src/BinSkim.Sdk/SdkResources.Designer.cs b/src/BinSkim.Sdk/SdkResources.Designer.cs index 797d937cc..0a5cbf6ec 100644 --- a/src/BinSkim.Sdk/SdkResources.Designer.cs +++ b/src/BinSkim.Sdk/SdkResources.Designer.cs @@ -90,9 +90,18 @@ internal static string MetadataCondition_CouldNotLoadPdb { /// /// Looks up a localized string similar to ELF is not a shared object or executable. /// - internal static string MetadataCondition_ElfIsCoreNoneOrObject { + internal static string MetadataCondition_ElfIsCoreNoneOrRelocatable { get { - return ResourceManager.GetString("MetadataCondition_ElfIsCoreNoneOrObject", resourceCulture); + return ResourceManager.GetString("MetadataCondition_ElfIsCoreNoneOrRelocatable", resourceCulture); + } + } + + /// + /// Looks up a localized string similar to not compiled with Clang. + /// + internal static string MetadataCondition_ElfNotBuiltWithClang { + get { + return ResourceManager.GetString("MetadataCondition_ElfNotBuiltWithClang", resourceCulture); } } diff --git a/src/BinSkim.Sdk/SdkResources.resx b/src/BinSkim.Sdk/SdkResources.resx index 5d3f1043e..96d24c6c2 100644 --- a/src/BinSkim.Sdk/SdkResources.resx +++ b/src/BinSkim.Sdk/SdkResources.resx @@ -186,7 +186,7 @@ An attempt to cast a binary target to a '{0}' failed. This indicates a programming error in rules evaluating that sort of target. - + ELF is not a shared object or executable @@ -246,4 +246,7 @@ image is an ARM binary + + not compiled with Clang + \ No newline at end of file diff --git a/src/ReleaseHistory.md b/src/ReleaseHistory.md index 081731df1..76c495498 100644 --- a/src/ReleaseHistory.md +++ b/src/ReleaseHistory.md @@ -1,5 +1,9 @@ # BinSkim Release History +## Unreleased + +* FEATURE: Add BA3031.EnableClangSafeStack, rename BA3030.UseCheckedFunctionsWithGcc to BA3030.UseGccCheckedFunctions [#663](https://github.com/microsoft/binskim/pull/663) + ## **v1.9.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.9.5) * Bump ELFSharp from 2.13.2 to 2.14.0. [#628](https://github.com/microsoft/binskim/pull/628) diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/BinSkim.win-x64.ni.dll.sarif.temp2 b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/BinSkim.win-x64.ni.dll.sarif.temp2 deleted file mode 100644 index d45de7e2b..000000000 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/BinSkim.win-x64.ni.dll.sarif.temp2 +++ /dev/null @@ -1,133 +0,0 @@ -{ - "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.4.json", - "version": "2.1.0", - "runs": [ - { - "results": [ - { - "ruleId": "BA3001", - "ruleIndex": 0, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "BinSkim.win-x64.ni.dll", - "EnablePositionIndependentExecutable", - "image is not an ELF binary" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///E:/src/binskim/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/BinSkim.win-x64.ni.dll", - "index": 0 - } - } - } - ] - }, - { - "ruleId": "BA3002", - "ruleIndex": 1, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "BinSkim.win-x64.ni.dll", - "DoNotMarkStackAsExecutable", - "image is not an ELF binary" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///E:/src/binskim/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/BinSkim.win-x64.ni.dll", - "index": 0 - } - } - } - ] - }, - { - "ruleId": "BA3003", - "ruleIndex": 2, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "BinSkim.win-x64.ni.dll", - "EnableStackProtector", - "image is not an ELF binary" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///E:/src/binskim/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/BinSkim.win-x64.ni.dll", - "index": 0 - } - } - } - ] - }, - { - "ruleId": "BA3010", - "ruleIndex": 3, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "BinSkim.win-x64.ni.dll", - "EnableReadOnlyRelocations", - "image is not an ELF binary" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///E:/src/binskim/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/BinSkim.win-x64.ni.dll", - "index": 0 - } - } - } - ] - }, - { - "ruleId": "BA3030", - "ruleIndex": 4, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "NotApplicable_InvalidMetadata", - "arguments": [ - "BinSkim.win-x64.ni.dll", - "UseCheckedFunctionsWithGcc", - "image is not an ELF binary" - ] - }, - "locations": [ - { - "physicalLocation": { - "artifactLocation": { - "uri": "file:///E:/src/binskim/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/BinSkim.win-x64.ni.dll", - "index": 0 - } - } - } - ] - }, - { - "ruleId": "BA2008", - "ruleIndex": 5, - "kind": "notApplicable", - "level": "none", - "message": { - "id": "N \ No newline at end of file diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/Native_x64_RustC_Rust_debuginfo2_v1.58.1.exe.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/Native_x64_RustC_Rust_debuginfo2_v1.58.1.exe.sarif index 409adc3fb..6943aa758 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/Native_x64_RustC_Rust_debuginfo2_v1.58.1.exe.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/Native_x64_RustC_Rust_debuginfo2_v1.58.1.exe.sarif @@ -951,7 +951,7 @@ }, { "id": "BA2026", - "name": "EnableAdditionalSdlSecurityChecks", + "name": "EnableMicrosoftCompilerSdlSwitch", "fullDescription": { "text": "/sdl enables a superset of the baseline security checks provided by /GS and overrides /GS-. By default, /sdl is off. /sdl- disables the additional security checks." }, @@ -969,7 +969,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableAdditionalSdlSecurityChecks" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA2026EnableMicrosoftCompilerSdlSwitch" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.default_compilation.sarif index 5f6f4d2d9..0aefe853b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.default_compilation.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.default_compilation" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.default_compilation", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.elf.objectivec.dwarf.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.elf.objectivec.dwarf.sarif index 6a28dac22..184270418 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.elf.objectivec.dwarf.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.elf.objectivec.dwarf.sarif @@ -133,6 +133,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 6, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.elf.objectivec.dwarf" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.elf.objectivec.dwarf", + "index": 0 + } + } + } + ] } ], "tool": { @@ -277,6 +298,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.sarif index 515a50eaa..69f71bdb2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.sarif @@ -109,6 +109,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.execstack" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.execstack", + "index": 0 + } + } + } + ] } ], "tool": { @@ -231,6 +252,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.so.sarif index 252c06e8c..fecae2044 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.execstack.so.sarif @@ -110,6 +110,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.execstack.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.execstack.so", + "index": 0 + } + } + } + ] } ], "tool": { @@ -232,6 +253,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.immediate_binding.sarif index 00928d575..8568075e6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.immediate_binding.sarif @@ -112,6 +112,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.immediate_binding" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.immediate_binding", + "index": 0 + } + } + } + ] } ], "tool": { @@ -234,6 +255,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_immediate_binding.sarif index 40279c47a..53a755714 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_immediate_binding.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.no_immediate_binding" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.no_immediate_binding", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_stack_protector.sarif index 9936b9713..04694f9b3 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.no_stack_protector.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.no_stack_protector" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.no_stack_protector", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.sarif index f3b0dc820..d7aac3d85 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.noexecstack" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.noexecstack", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.so.sarif index 3e5259e14..d0d4fb3ee 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.noexecstack.so.sarif @@ -112,6 +112,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.noexecstack.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.noexecstack.so", + "index": 0 + } + } + } + ] } ], "tool": { @@ -234,6 +255,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.non_pie_executable.sarif index b47e42fc3..0b94d1acd 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.non_pie_executable.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.non_pie_executable" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.non_pie_executable", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.pie_executable.sarif index 75a0387a8..025a48d2a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.pie_executable.sarif @@ -112,6 +112,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.pie_executable" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.pie_executable", + "index": 0 + } + } + } + ] } ], "tool": { @@ -234,6 +255,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsro.sarif index 32dcba005..a2722269a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsro.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.relocationsro" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.relocationsro", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsrw.sarif index a964775cf..a51d5784e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.relocationsrw.sarif @@ -110,6 +110,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.relocationsrw" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.relocationsrw", + "index": 0 + } + } + } + ] } ], "tool": { @@ -232,6 +253,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.shared_library.so.sarif index 596bcb833..7482a95aa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.shared_library.so.sarif @@ -112,6 +112,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.shared_library.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.shared_library.so", + "index": 0 + } + } + } + ] } ], "tool": { @@ -234,6 +255,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.sarif index 1219a949e..f0b733239 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.sarif @@ -111,6 +111,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.stack_protector" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.stack_protector", + "index": 0 + } + } + } + ] } ], "tool": { @@ -233,6 +254,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.so.sarif index a21bee9cf..d76da6b49 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/clang.stack_protector.so.sarif @@ -112,6 +112,27 @@ } } ] + }, + { + "ruleId": "BA3031", + "ruleIndex": 5, + "level": "error", + "message": { + "id": "Error", + "arguments": [ + "clang.stack_protector.so" + ] + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "file:///Z:/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/clang.stack_protector.so", + "index": 0 + } + } + } + ] } ], "tool": { @@ -234,6 +255,31 @@ } }, "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3011EnableBindNow" + }, + { + "id": "BA3031", + "name": "EnableClangSafeStack", + "fullDescription": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "help": { + "text": "The SafeStack instrumentation pass protects programs by implementing two separate program stacks, one for return addresses and local variables, and the other for everything else. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "messageStrings": { + "Pass": { + "text": "'{0}' was compiled using Clang and with the SafeStack instrumentation pass, which mitigates the risk of stack-based buffer overflows." + }, + "Error": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines." + }, + "Error_ClangVersionMayNeedUpgrade": { + "text": "'{0}' was compiled using Clang but without the SafeStack instrumentation pass, which should be used to mitigate the risk of stack-based buffer overflows. To enable SafeStack, pass '-fsanitize=safe-stack' flag to both compile and link command lines. You might need to update your version of Clang to enable it." + }, + "NotApplicable_InvalidMetadata": { + "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." + } + }, + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3031EnableClangSafeStack" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.default_compilation.sarif index 37020bed1..8062abc78 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.default_compilation.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif index 3a3366aab..3f2619323 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif @@ -392,7 +392,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -416,7 +416,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.sarif index f580a4664..205cbdbea 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.sarif @@ -255,7 +255,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -279,7 +279,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.so.sarif index a33a09161..daaefa747 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.execstack.so.sarif @@ -256,7 +256,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -280,7 +280,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.fortified.sarif index 217ee5fc9..8b5d97a90 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.fortified.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.gsplitdwarf.5.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.gsplitdwarf.5.sarif index 2e76432e2..2b510b4a9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.gsplitdwarf.5.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.gsplitdwarf.5.sarif @@ -305,7 +305,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -329,7 +329,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif index 12b009058..4047a6153 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.4.o.no-stack-clash-protection.sarif @@ -392,7 +392,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -416,7 +416,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif index f3d40a143..adf0c3c7e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.5.o.no-stack-clash-protection.sarif @@ -393,7 +393,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -417,7 +417,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.execstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.execstack.5.o.sarif index 62494985f..cc3c9d752 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.execstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.execstack.5.o.sarif @@ -391,7 +391,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -415,7 +415,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.nodwarf.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.nodwarf.sarif index a36dfc20d..9c01fc7a4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.nodwarf.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.nodwarf.sarif @@ -260,7 +260,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -284,7 +284,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.noexecstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.noexecstack.5.o.sarif index a569b56d0..c6319bde5 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.noexecstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.helloworld.noexecstack.5.o.sarif @@ -393,7 +393,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -417,7 +417,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.immediate_binding.sarif index b9f82025f..c7befda92 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.immediate_binding.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_fortification_required.sarif index 9d9a0bf3e..03f60e014 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_fortification_required.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_immediate_binding.sarif index 71162933a..bc3186aeb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_immediate_binding.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_stack_protector.sarif index e17ad67f8..0ab1acf0e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.no_stack_protector.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.sarif index 3bcf7bb65..73430e914 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.so.sarif index 5620cac6f..6dbd393bc 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.noexecstack.so.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.non_pie_executable.sarif index db4ee473f..664dc72ca 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.non_pie_executable.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.objcopy.stripall.addgnudebuglink.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.objcopy.stripall.addgnudebuglink.sarif index 735d6a2f2..5be7de2d1 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.objcopy.stripall.addgnudebuglink.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.objcopy.stripall.addgnudebuglink.sarif @@ -348,7 +348,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -372,7 +372,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.pie_executable.sarif index 2c2bb1acc..c4b0fee13 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.pie_executable.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsro.sarif index b776bc522..a59d6b6aa 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsro.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsrw.sarif index a0ef6ca4a..a2e514ae2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.relocationsrw.sarif @@ -256,7 +256,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -280,7 +280,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.4.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.4.o.sarif index bc0d40329..f7db911b1 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.4.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.4.o.sarif @@ -392,7 +392,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -416,7 +416,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.5.o.sarif index 8ed953ad1..f687763f2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.requiredsymbol.5.o.sarif @@ -393,7 +393,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -417,7 +417,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.shared_library.so.sarif index 7535680c5..610b42700 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.shared_library.so.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.sarif index c56a67f31..6918d5a62 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.so.sarif index df7152976..b0743d1f2 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.stack_protector.so.sarif @@ -258,7 +258,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -282,7 +282,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.unfortified.sarif index c048b0860..ef9758639 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/Expected/gcc.unfortified.sarif @@ -257,7 +257,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -281,7 +281,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.default_compilation.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.default_compilation.sarif index befc9a9da..8252d3d2e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.default_compilation.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.default_compilation.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif index 560548b04..2eeaa7a3a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.example2.fstackprotectorstrongsspbuffersize8+fnostackprotector.sarif @@ -396,7 +396,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -420,7 +420,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.sarif index d635a7f75..0e8ca21c6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.sarif @@ -259,7 +259,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -283,7 +283,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.so.sarif index 8560f144f..4e9c92208 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.execstack.so.sarif @@ -260,7 +260,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -284,7 +284,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.fortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.fortified.sarif index eff7055a1..652756270 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.fortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.fortified.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.gsplitdwarf.5.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.gsplitdwarf.5.sarif index f86046357..6db2d5809 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.gsplitdwarf.5.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.gsplitdwarf.5.sarif @@ -309,7 +309,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -333,7 +333,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.4.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.4.o.no-stack-clash-protection.sarif index 2d6e9dff9..8214ffc67 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.4.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.4.o.no-stack-clash-protection.sarif @@ -396,7 +396,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -420,7 +420,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.5.o.no-stack-clash-protection.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.5.o.no-stack-clash-protection.sarif index 985e516a9..c06790048 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.5.o.no-stack-clash-protection.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.5.o.no-stack-clash-protection.sarif @@ -397,7 +397,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -421,7 +421,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.execstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.execstack.5.o.sarif index 9be93f61f..1493f749a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.execstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.execstack.5.o.sarif @@ -395,7 +395,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -419,7 +419,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.nodwarf.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.nodwarf.sarif index 2b2887550..d59f66bbb 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.nodwarf.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.nodwarf.sarif @@ -264,7 +264,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -288,7 +288,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.noexecstack.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.noexecstack.5.o.sarif index bb951d417..3713ec502 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.noexecstack.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.helloworld.noexecstack.5.o.sarif @@ -397,7 +397,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -421,7 +421,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.immediate_binding.sarif index 8a4fe4f08..f325bc8e9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.immediate_binding.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_fortification_required.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_fortification_required.sarif index 2b80e9adb..2ec72b670 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_fortification_required.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_fortification_required.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_immediate_binding.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_immediate_binding.sarif index eac4d83c6..293868ce9 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_immediate_binding.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_immediate_binding.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_stack_protector.sarif index 3f2c0ad62..b36a110a8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.no_stack_protector.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.sarif index eeb4ff23c..b68e4609b 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.so.sarif index 0300745c7..eb231d248 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.noexecstack.so.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.non_pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.non_pie_executable.sarif index 27a065876..6e762da5e 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.non_pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.non_pie_executable.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.objcopy.stripall.addgnudebuglink.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.objcopy.stripall.addgnudebuglink.sarif index ef39551f4..a09f57b10 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.objcopy.stripall.addgnudebuglink.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.objcopy.stripall.addgnudebuglink.sarif @@ -352,7 +352,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -376,7 +376,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.pie_executable.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.pie_executable.sarif index 67656173f..5c67af132 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.pie_executable.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.pie_executable.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsro.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsro.sarif index d7dbe6f3a..b80a1c72a 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsro.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsro.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsrw.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsrw.sarif index 08cc3016a..0902c05d8 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsrw.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.relocationsrw.sarif @@ -260,7 +260,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -284,7 +284,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.4.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.4.o.sarif index 5af48150d..485d1ccca 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.4.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.4.o.sarif @@ -396,7 +396,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -420,7 +420,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.5.o.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.5.o.sarif index 6ada74c59..d191b6dd6 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.5.o.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.requiredsymbol.5.o.sarif @@ -397,7 +397,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -421,7 +421,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.shared_library.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.shared_library.so.sarif index 46ef4149f..ed949aac7 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.shared_library.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.shared_library.so.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.sarif index 4b6e05def..0d6b159e4 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.so.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.so.sarif index 2881200b6..c63a97a04 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.so.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.stack_protector.so.sarif @@ -262,7 +262,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -286,7 +286,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.unfortified.sarif b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.unfortified.sarif index 5567b7a60..a15a8639c 100644 --- a/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.unfortified.sarif +++ b/src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/NonWindowsExpected/gcc.unfortified.sarif @@ -261,7 +261,7 @@ }, { "id": "BA3030", - "name": "UseCheckedFunctionsWithGcc", + "name": "UseGccCheckedFunctions", "fullDescription": { "text": "GCC can automatically replace unsafe functions with checked variants when it can statically determine the length of a buffer or string. In the case of an overflow, the checked version will safely exit the program (rather than potentially allowing an exploit). This feature can be enabled by passing '-DFortify_Source=2' when optimization level 2 is enabled ('-O2')." }, @@ -285,7 +285,7 @@ "text": "'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}." } }, - "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseCheckedFunctionsWithGcc" + "helpUri": "https://github.com/microsoft/binskim/blob/main/docs/BinSkimRules.md#rule-BA3030UseGccCheckedFunctions" } ], "properties": { diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Fail/gcc.unfortified b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Fail/gcc.unfortified similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Fail/gcc.unfortified rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Fail/gcc.unfortified diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/NotApplicable/clang.default_compilation b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/NotApplicable/clang.default_compilation similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/NotApplicable/clang.default_compilation rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/NotApplicable/clang.default_compilation diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/NotApplicable/clang.shared_library.so b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/NotApplicable/clang.shared_library.so similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/NotApplicable/clang.shared_library.so rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/NotApplicable/clang.shared_library.so diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/NotApplicable/gcc.object_file.o b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/NotApplicable/gcc.object_file.o similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/NotApplicable/gcc.object_file.o rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/NotApplicable/gcc.object_file.o diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Pass/gcc.example1.DFORTIFYSOURCE.2 b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Pass/gcc.example1.DFORTIFYSOURCE.2 similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Pass/gcc.example1.DFORTIFYSOURCE.2 rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Pass/gcc.example1.DFORTIFYSOURCE.2 diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Pass/gcc.fortified b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Pass/gcc.fortified similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Pass/gcc.fortified rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Pass/gcc.fortified diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Pass/gcc.no_fortification_required b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Pass/gcc.no_fortification_required similarity index 100% rename from src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseCheckedFunctionsWithGcc/Pass/gcc.no_fortification_required rename to src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3030.UseGccCheckedFunctions/Pass/gcc.no_fortification_required diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.10.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.10.elf.c.no_safe_stack new file mode 100644 index 000000000..c20560f44 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.10.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.10.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.10.elf.cpp.no_safe_stack new file mode 100644 index 000000000..ed1228a4b Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.10.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.11.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.11.elf.c.no_safe_stack new file mode 100644 index 000000000..3dbce072f Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.11.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.11.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.11.elf.cpp.no_safe_stack new file mode 100644 index 000000000..228aa4d6a Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.11.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.12.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.12.elf.c.no_safe_stack new file mode 100644 index 000000000..afb631f08 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.12.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.12.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.12.elf.cpp.no_safe_stack new file mode 100644 index 000000000..4d221d943 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.12.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.13.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.13.elf.c.no_safe_stack new file mode 100644 index 000000000..4e602119d Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.13.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.13.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.13.elf.cpp.no_safe_stack new file mode 100644 index 000000000..ec04a3807 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.13.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.14.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.14.elf.c.no_safe_stack new file mode 100644 index 000000000..5281bd4f9 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.14.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.14.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.14.elf.cpp.no_safe_stack new file mode 100644 index 000000000..ef07048e8 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.14.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.3_6.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.3_6.elf.c.no_safe_stack new file mode 100644 index 000000000..3ff465c10 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.3_6.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.3_7.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.3_7.elf.c.no_safe_stack new file mode 100644 index 000000000..2916c6383 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.3_7.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.7.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.7.elf.c.no_safe_stack new file mode 100644 index 000000000..0e983c5f0 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.7.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.7.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.7.elf.cpp.no_safe_stack new file mode 100644 index 000000000..39cd2a918 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.7.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.8.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.8.elf.c.no_safe_stack new file mode 100644 index 000000000..543747bba Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.8.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.8.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.8.elf.cpp.no_safe_stack new file mode 100644 index 000000000..ba6b66e19 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.8.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.9.elf.c.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.9.elf.c.no_safe_stack new file mode 100644 index 000000000..49ad1795f Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.9.elf.c.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.9.elf.cpp.no_safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.9.elf.cpp.no_safe_stack new file mode 100644 index 000000000..281741531 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Fail/clang.9.elf.cpp.no_safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/NotApplicable/gcc.object_file.o b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/NotApplicable/gcc.object_file.o new file mode 100644 index 000000000..515901af3 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/NotApplicable/gcc.object_file.o differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.10.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.10.elf.c.safe_stack new file mode 100644 index 000000000..b4fd53a5f Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.10.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.10.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.10.elf.cpp.safe_stack new file mode 100644 index 000000000..f9b3cf5bc Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.10.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.11.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.11.elf.c.safe_stack new file mode 100644 index 000000000..6893c0115 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.11.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.11.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.11.elf.cpp.safe_stack new file mode 100644 index 000000000..d53ed1c64 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.11.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.12.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.12.elf.c.safe_stack new file mode 100644 index 000000000..e2524e35a Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.12.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.12.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.12.elf.cpp.safe_stack new file mode 100644 index 000000000..0a14fbe79 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.12.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.13.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.13.elf.c.safe_stack new file mode 100644 index 000000000..03ca0335e Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.13.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.13.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.13.elf.cpp.safe_stack new file mode 100644 index 000000000..bff1fb4e7 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.13.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.14.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.14.elf.c.safe_stack new file mode 100644 index 000000000..657b161ed Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.14.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.14.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.14.elf.cpp.safe_stack new file mode 100644 index 000000000..3980bd1cf Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.14.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.3_7.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.3_7.elf.c.safe_stack new file mode 100644 index 000000000..639c13beb Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.3_7.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.7.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.7.elf.c.safe_stack new file mode 100644 index 000000000..efbc98b9d Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.7.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.7.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.7.elf.cpp.safe_stack new file mode 100644 index 000000000..4249d7e8c Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.7.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.8.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.8.elf.c.safe_stack new file mode 100644 index 000000000..1916dc48a Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.8.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.8.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.8.elf.cpp.safe_stack new file mode 100644 index 000000000..ee8a96de8 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.8.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.9.elf.c.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.9.elf.c.safe_stack new file mode 100644 index 000000000..caa17556f Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.9.elf.c.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.9.elf.cpp.safe_stack b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.9.elf.cpp.safe_stack new file mode 100644 index 000000000..96c1e1be1 Binary files /dev/null and b/src/Test.FunctionalTests.BinSkim.Rules/FunctionalTestData/BA3031.EnableClangSafeStack/Pass/clang.9.elf.cpp.safe_stack differ diff --git a/src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs b/src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs index fdf933eb4..4f15450be 100644 --- a/src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs +++ b/src/Test.FunctionalTests.BinSkim.Rules/RuleTests.cs @@ -1399,21 +1399,39 @@ public void BA3011_EnableBindNow_NotApplicable() } [Fact] - public void BA3030_UseCheckedFunctionsWithGCC_Pass() + public void BA3030_UseGccCheckedFunctions_Pass() { - this.VerifyPass(new UseCheckedFunctionsWithGcc(), bypassExtensionValidation: true); + this.VerifyPass(new UseGccCheckedFunctions(), bypassExtensionValidation: true); } [Fact] - public void BA3030_UseCheckedFunctionsWithGCC_Fail() + public void BA3030_UseGccCheckedFunctions_Fail() { - this.VerifyFail(new UseCheckedFunctionsWithGcc(), bypassExtensionValidation: true); + this.VerifyFail(new UseGccCheckedFunctions(), bypassExtensionValidation: true); } [Fact] - public void BA3030_UseCheckedFunctionsWithGCC_NotApplicable() + public void BA3030_UseGccCheckedFunctions_NotApplicable() { - this.VerifyApplicability(new UseCheckedFunctionsWithGcc(), new HashSet()); + this.VerifyApplicability(new UseGccCheckedFunctions(), new HashSet()); + } + + [Fact] + public void BA3031_EnableClangSafeStack_Pass() + { + this.VerifyPass(new EnableClangSafeStack(), bypassExtensionValidation: true); + } + + [Fact] + public void BA3031_EnableClangSafeStack_Fail() + { + this.VerifyFail(new EnableClangSafeStack(), bypassExtensionValidation: true); + } + + [Fact] + public void BA3031_EnableClangSafeStack_NotApplicable() + { + this.VerifyApplicability(new EnableClangSafeStack(), new HashSet()); } [Fact]