From 54267e135ff1d9266194ee03fa33dcb916f3adc8 Mon Sep 17 00:00:00 2001 From: Eddy Nakamura Date: Tue, 27 Jul 2021 21:12:45 -0300 Subject: [PATCH] Preparing v1.9.0-prerelease1 (#411) * Preparing v1.8.0-prerelease1 Improving docs, updating to version 1.9.0-prerelease1 Updating release history * updating release history markdown --- CreatePackagesFromLayoutDirectory.cmd | 4 +- SetCurrentVersion.cmd | 8 ++-- docs/UserGuide.md | 16 ++++---- src/BinaryParsers/VersionConstants.cs | 6 +-- src/ReleaseHistory.md | 55 +++++++++++++++++++++++---- src/build.common.props | 4 -- 6 files changed, 64 insertions(+), 29 deletions(-) diff --git a/CreatePackagesFromLayoutDirectory.cmd b/CreatePackagesFromLayoutDirectory.cmd index c1e64c286..b68d6c68a 100644 --- a/CreatePackagesFromLayoutDirectory.cmd +++ b/CreatePackagesFromLayoutDirectory.cmd @@ -42,9 +42,9 @@ if "%ERRORLEVEL%" NEQ "0" (echo %1 assembly copy failed. && goto :ExeFilesExit) Exit /B %ERRORLEVEL% :CopyFilesForMultitargeting -xcopy /Y %BinaryOutputDirectory%\netcoreapp3.1\win-x64\%~n1.dll %LayoutForSigningDirectory%\netcoreapp3.1\win-x64\ +xcopy /Y %LayoutForSigningDirectory%\netcoreapp3.1\win-x64\%~n1.dll %BinaryOutputDirectory%\netcoreapp3.1\win-x64\ if "%ERRORLEVEL%" NEQ "0" (echo %1 assembly copy failed. && goto :CopyFilesExit) -xcopy /Y %BinaryOutputDirectory%\netcoreapp3.1\linux-x64\%~n1.dll %LayoutForSigningDirectory%\netcoreapp3.1\linux-x64\ +xcopy /Y %LayoutForSigningDirectory%\netcoreapp3.1\linux-x64\%~n1.dll %BinaryOutputDirectory%\netcoreapp3.1\linux-x64\ if "%ERRORLEVEL%" NEQ "0" (echo %1 assembly copy failed. && goto :CopyFilesExit) :CopyFilesExit Exit /B %ERRORLEVEL% diff --git a/SetCurrentVersion.cmd b/SetCurrentVersion.cmd index 8fd0c18dc..d63f8e31b 100644 --- a/SetCurrentVersion.cmd +++ b/SetCurrentVersion.cmd @@ -1,9 +1,9 @@ set MAJOR_PREVIOUS=1 set MINOR_PREVIOUS=7 set PATCH_PREVIOUS=5 -set PRERELEASE_PREVIOUS=-prerelease1 +set PRERELEASE_PREVIOUS= set MAJOR=1 -set MINOR=7 -set PATCH=5 -set PRERELEASE= +set MINOR=9 +set PATCH=0 +set PRERELEASE=-prerelease1 diff --git a/docs/UserGuide.md b/docs/UserGuide.md index 0f7f76486..8eee133ba 100644 --- a/docs/UserGuide.md +++ b/docs/UserGuide.md @@ -33,7 +33,7 @@ binskim analyze *.dll --output MyLog.sarif | Command Type | Description | | ------------ | ----------- | -| **General** |

General BinSkim help message. Displays all built-in commands (e.g. help, analyze and capture) for which more detailed help can be requested

`binskim.exe --help`

| +| **General** | General BinSkim help message. Displays all built-in commands (e.g. help, analyze and capture) for which more detailed help can be requested `binskim.exe --help` | | **Detailed** |

Specific commands. Structure looks like this: `binskim.exe help [command]`

| ### Analyze Command @@ -55,6 +55,7 @@ The **`analyze`** command supports the following additional arguments: | **`--rich-return-code`** | Output a more detailed exit code consisting of a series of flags about execution, rather than outputting '0' for success/'1' for failure (see codes below) | | **`--level`** | Filter output of scan results to one or more failure levels. Valid values: Error, Warning and Note. | | **`--kind`** | Filter output one or more result kinds. Valid values: Fail (for literal scan results), Pass, Review, Open, NotApplicable and Informational. | +| **`--baseline`** | A Sarif file to be used as baseline. | | **`-v, --sarif-output-version`** | (Default: Current) The SARIF version of the output log file. Valid values are OneZeroZero and Current | In addition to the named arguments above, BinSkim accepts one or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze. Arguments can include wild cards, relative paths (in which case the file or directory path is resolved relative to the current working directory), and environment variables. @@ -71,7 +72,7 @@ When BinSkim cannot properly load a PDB, because it is missing, corrupted, etc., The following table lists all BinSkim rules by ID and Name, detailing specific PDB information examined during analysis. Generally, each of these checks also inspects each object module language in order to restrict analysis to Microsoft C/C++ compilers. -| ID | Name | Data Examined | +| ID | Name | Data Examined | | -- | ---- | ------------- | | **BA2002** | `DoNotIncorporateVulnerableDependencies` | Source files for all linked object modules | | **BA2006** | `BuildWithSecureTools` | Compiler version of all linked object modules | @@ -80,8 +81,7 @@ The following table lists all BinSkim rules by ID and Name, detailing specific P | **BA2013** | `InitializeStackProtection` | Scans PDB for /GS feature function name | | **BA2014** | `DoNotDisableStackProtectionForFunctions` | `IDiaSymbol::get_isSafeBuffers` value for all binary functions | | **BA2024** | `EnableSpectreMitigations` | Compiler version of all linked object modules | - - + #### --local-symbol-directories The `--local-symbol-directories` argument configures a set of semicolon-delimited local directory paths that will be examined when attempting to locate PDBs. Provide this argument when your build system redirects PDB production to an alternate location (rather than emitting them alongside their matching binary). @@ -120,13 +120,13 @@ The `--rich-return-code` argument configures BinSkim to exit with a detailed exi Non-fatal warnings correspond to behaviors that should be expected during normal successful operation of the tool--for instance, the tool can execute successfully and still find errors. -| Name | Value | Explanation/Guidance | +| Name | Value | Explanation/Guidance | | -- | ---- | ------------- | | **InvalidCommandLineOption** | `0x1` | Invalid command line options were passed to BinSkim. Please check your command line options. | | **ExceptionInSkimmerInitialize** | `0x2` | A Skimmer/Rule was unable to initialize. That rule will be disabled during this run. Please report this to the BinSkim team. | | **ExceptionRaisedInSkimmerCanAnalyze** | `0x4` | A Skimmer/Rule encountered an exception when attempting to determine if it applied to a target file. That rule will be disabled for the remainder of the run. Please report this to the BinSkim team. | | **ExceptionInSkimmerAnalyze** | `0x8` | An exception was raised when a skimmer attempted to analyze a file. That rule will be disabled for the remainder of the run. Please report this to the BinSkim team. | -| **ExceptionCreatingLogFile** | ` 0x10` | BinSkim was unable to write to the log file you specified on the command line. The file may already exist, or you may not have permission to write to the folder you specified. | +| **ExceptionCreatingLogFile** | `0x10` | BinSkim was unable to write to the log file you specified on the command line. The file may already exist, or you may not have permission to write to the folder you specified. | | **ExceptionLoadingPdb** | `0x20` | BinSkim encountered an exception loading a Pdb. This can occur if a PDB is missing, or if it's malformed. Ensure that valid .PDB files are present for each PE binary you wish to scan--BinSkim cannot evaluate some of its rules if they are missing. | | **ExceptionInEngine** | `0x40` | The BinSkim engine encountered an unexpected exception and execution could not continue. Please report this to the BinSkim team. | | **ExceptionLoadingTargetFile** | `0x80` | BinSkim failed to load/parse one of the input files. Ensure your input files are valid binaries that BinSkim can parse, and reach out to the BinSkim team if they are. | @@ -146,7 +146,7 @@ Non-fatal warnings correspond to behaviors that should be expected during normal This leads to these masks being helpful when determining what to do with a rich exit code: -| Name | Value | Explanation/Guidance | +| Name | Value | Explanation/Guidance | | -- | ---- | ------------- | | **NonFatalExitCode** | 0xF8000000 | These are the currently explicitly reserved non-fatal exit codes--they will occur during normal execution of the tool. They may be helpful for checking if the tool found any issues or similar during its execution. | | **FatalExitCode** | 0x0000FFFF | These are all the explicitly reserved fatal exit codes--they indicate something unexpected went wrong during execution, or that a target that we expected to be able to analyze could not be fully analyzed (for example, the .PDB file was missing, or the file was incorrectly formatted). This may be helpful for checking during any tool run. | @@ -159,4 +159,4 @@ The `-p` or `--plugin` argument is used to provide a path to a BinSkim plugin th ## BinSkim Release History -The latest version is always available on **[NuGet](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/)**. History is available on **[NuGet Release History](../src/ReleaseHistory.md)**. \ No newline at end of file +The latest version is always available on **[NuGet](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/)**. History is available on **[NuGet Release History](../src/ReleaseHistory.md)**. diff --git a/src/BinaryParsers/VersionConstants.cs b/src/BinaryParsers/VersionConstants.cs index aedf9251b..6336fb374 100644 --- a/src/BinaryParsers/VersionConstants.cs +++ b/src/BinaryParsers/VersionConstants.cs @@ -4,9 +4,9 @@ namespace Microsoft.CodeAnalysis.IL { public static class VersionConstants { - public const string Prerelease = ""; - public const string AssemblyVersion = "1.7.5" + ".0"; - public const string FileVersion = "1.7.5" + ".0"; + public const string Prerelease = "-prerelease1"; + public const string AssemblyVersion = "1.9.0" + ".0"; + public const string FileVersion = "1.9.0" + ".0"; public const string Version = AssemblyVersion + Prerelease; } } diff --git a/src/ReleaseHistory.md b/src/ReleaseHistory.md index f4de578da..0d3a244a3 100644 --- a/src/ReleaseHistory.md +++ b/src/ReleaseHistory.md @@ -1,45 +1,66 @@ # BinSkim Release History -## **Unreleased** +## **v1.9.0-prerelease1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.9.0-prerelease1) -## **v2.0.0** In progress (probably May/June 2021) -* BREAKING: Change from self-contained to dotnettool. - -## **v1.8.0-prerelease1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.8.0-prerelease1) * FEATURE: Add BA3011.EnableBindNow. [#363](https://github.com/microsoft/binskim/pull/363) +* FEATURE: Add BA2025.EnableShadowStack. [#376](https://github.com/microsoft/binskim/pull/376) +* FEATURE: Add BA3005.EnableStackClashProtection. [#379](https://github.com/microsoft/binskim/pull/379) +* BUGFIX: Force load PDB. [#380](https://github.com/microsoft/binskim/pull/380) +* BUGFIX: Fix BA2004 for MASM compilers. [381](https://github.com/microsoft/binskim/pull/381) +* FEATURE: Add BA3006.EnableNonExecutableStack. [#383](https://github.com/microsoft/binskim/pull/383) +* FEATURE: Add BA2026.EnableAdditionalSecurityChecks. [#388](https://github.com/microsoft/binskim/pull/388) +* FEATURE: Add BA4002.ReportDwarfCompilerData. [#394](https://github.com/microsoft/binskim/pull/394) +* BUGFIX: Fix for E_PDB_MAX error. [#399](https://github.com/microsoft/binskim/pull/399) +* BREAKING: Removing win-x86 support. [#401](https://github.com/microsoft/binskim/pull/401) +* FEATURE: Add baseline support. [#409](https://github.com/microsoft/binskim/pull/409) +* BUGFIX: Fix exception when the PDB is embedded. [#410](https://github.com/microsoft/binskim/pull/410) ## **v1.7.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.5) + +* BUGFIX: Fix import/export config using JSON file. [#349](https://github.com/microsoft/binskim/pull/349) +* FEATURE: Add compiler report rule BA4001, which is disabled by default. [#350](https://github.com/microsoft/binskim/pull/350) +* FEATURE: Add support to specific rule documentation in `HelpUri`. [#348](https://github.com/microsoft/binskim/pull/348) + +## **v1.7.5-prerelease1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.5-prerelease1) + * BUGFIX: Fix import/export config using JSON file. [#349](https://github.com/microsoft/binskim/pull/349) * FEATURE: Add compiler report rule BA4001, which is disabled by default. [#350](https://github.com/microsoft/binskim/pull/350) * FEATURE: Add support to specific rule documentation in `HelpUri`. [#348](https://github.com/microsoft/binskim/pull/348) ## **v1.7.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.4) + * BREAKING: Adding `--verbose` as obsolete which translate to `--level` and `--kind`. [#347](https://github.com/microsoft/binskim/pull/347) ## **v1.7.3** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.3) + * FEATURE: Update SARIF version to latest (using submodule). [#325](https://github.com/microsoft/binskim/pull/325) * FEATURE: Add BA2004.EnableSecureSourceCodeHashing. [#320](https://github.com/microsoft/binskim/pull/320) * BREAKING: Replace `--verbose` for `--level` and `--kind`. [#339](https://github.com/microsoft/binskim/pull/339) * BUGFIX: Fix net5 handling. [#345](https://github.com/microsoft/binskim/pull/345) ## **v1.7.2** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.2) + * BREAKING: Revert dotnet-tool. [#316](https://github.com/microsoft/binskim/pull/316) ## **v1.7.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.1) + * BREAKING: Change from self-contained to dotnettool. [#306](https://github.com/microsoft/binskim/pull/306) * BUG FIX: Fix issue when analyze `SingleFilePublish` files. [#311](https://github.com/microsoft/binskim/pull/311) ## **v1.7.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.0) -* AUTOMATION BREAKING: Update to .NET Core 3.1. Changes tool paths in NuGet package. + +* AUTOMATION BREAKING: Update to .NET Core 3.1. Changes tool paths in NuGet package. * FEATURE: Add `--trace` argument to enable specialized trace of execution behavior, such as `PdbLoad`. * FEATURE: Update SARIF version to 2.3.8 * BREAKING** Default output is sarif v2 ## **v1.6.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.1) + * DOC FIX: Correct reporting to reflect that /guard:cf is case-sensitive for the compiler. Contributed by [@JacksonText](https://github.com/JacksonTech) * BUG FIX: Fix ExceptionRaisedInSkimmerCanAnalyze null dereference exception for binaries without PDBs. [#265](https://github.com/microsoft/binskim/issues/265) ## **v1.6.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0) + * FEATURE: Update to final SARIF v2 (version 2.1.16). This enables results caching when passing --hashes on the command-line, a significant performance improvement when recursively analyzing directories with multiple copies of scan targets. * BUG FIX: Fix typo in BA2021.DoNotMarkWritableSectionsAsExecutable output. * PERFORMANCE: Eliminate PDB loading for all non-mixed-mode for managed assemblies, including IL Library (ahead of time compiled) binaries. @@ -48,20 +69,25 @@ * FALSE POSITIVE FIX: Skip PDB-driven analysis for the generated .NET core native bootstrap exe (which is not user-controllable code). ## **v1.6.0-beta.3** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0-beta.3) + * Drop Spectre analysis to warning ## **v1.6.0-beta.2** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0-beta.2) + * Fix Linux NuGet packaging to include BinSkim executable missing in 1.6.0-beta.1 * Update to pre-release SARIF v2 output format (sarif-2.0.0-csd.2.beta.2019-01-24) * Provide for SARIF v1 or v2 file format export. Default is v1 until SARIF v2 is final. ## **v1.6.0-beta.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0-beta.1) + * Breaking** Output is now Sarif V2-CSD1 compliant rather than Sarif V1 ## **v1.5.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.5.1) + * Fix Linux NuGet packaging to include BinSkim executable missing in 1.5.0. ## **v1.5.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.5.0) + * Cross platform (Windows/Linux) support. * Possibly Breaking:** New Results: Identify and fire configuration errors when located PDBs are stripped * Possibly Breaking:** New Results: False negative removed for BA2015.EnableHighEntropyVA: Correctly flags an AnyCPU binary with HighEntropyVA and Prefer32Bit disabled @@ -69,25 +95,31 @@ * Possibly Breaking:** New Rules: Provide preliminary BA2024.EnableSpectreMitigations analysis ## **v1.4.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.5) + * Correct signing check pass message to reflect actual analysis * Sign all BinSkim binaries ## **v1.4.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.4) + * Do not fire BA2001.LoadImageAboveFourGigabyteAddressId for ILOnly 64-bit assemblies ## **v1.4.3** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.3) + * Fix rich return code return functionality when core command-line parsing breaks * Export configuration knob to adjust EnableControlFlowGuard linker version check * Loosen SignSecurely rule to prevent errors on WinTrustVerify errors CERT_E_UNTRUSTEDROOT and CERT_E_CHAINING ## **v1.4.2** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.2) + * Add 'rich' return code (a bitfield value of observed runtime conditions) via SARIF SDK --rich-return-code arg ## **v1.4.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.1) + * Add response file support * Add __vcrt_trace_logging_provider::_TlgWrite exception to BA2014.DoNotDisableStackProtectionForFunctions ## **v1.4.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.0) + * Fix rule crash on firing 'not applicable' message for control flow guard check * Add BinScope readable rule name information to SARIF log file output * Fix reporting errors when flagging binaries signed with weak cryptogrphic algorithms @@ -95,11 +127,13 @@ * Make minimum required linker configurable for EnableControlFlowGuard check ## **v1.3.9** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.9) + * Fix false positives of BA2008:EnableControlFlowGuard firing on x86 kernel mode binaries * Eliminate high-entropy VA analysis for binaries with no entry points * Update various checks to eliminate noise analyzing boot binaries ## **v1.3.8** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.8) + * Update Sarif dependency to 1.5.40 * --config argument is now optional * Fix false positives of BA2008:EnableControlFlowGuard firing against MC++ mixed mode binaries @@ -108,20 +142,25 @@ * Eliminated compiler tool version false positives for Intel compiler and MASM ## **v1.3.7** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.7) + * Update Sarif dependency to 1.5.38 * More incidental reporting improvements ## **v1.3.6** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.6) + * Update Sarif dependency to 1.5.36 * Improves output in error cases ## **v1.3.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.5) + * Fix false positives in 'sign securely' analysis for multi-signed binaries * Eliminate noise in stack protection analysis against .NET native binaries * Update Sarif dependency to 1.5.28 -## **v1.3.4-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.4-beta) +## **v1.3.4-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.4-beta) + * Force load PDBs in some circumstances where they have failed to do so -## **v1.3.3-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.3-beta) +## **v1.3.3-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.3-beta) + * Update Sarif dependency to Sarif SDK/Driver 1.5.22-beta (Sarif JSON format 1.0.0) diff --git a/src/build.common.props b/src/build.common.props index 2e988d65d..a2d74ee74 100644 --- a/src/build.common.props +++ b/src/build.common.props @@ -33,10 +33,6 @@ TRACE - - x86 - - x64