Binskim reports Error:BA2004 with '/ZH:SHA_256' enabled for Unmanaged c++ dll #999
Comments
|
Any updates on this issue? |
|
Please advice how to proceed with this |
|
Hey Agila, can you please try to run it with the newest BinSkim version 4.3.1? It's not release to the feed, but you can build it and use it locally. If the Error remains let me know and we can investigate it further. Marek |
|
Hi Marek, I have tried downloading 4.3.1 Binskim version. But unfortunately while unzipping the source code, our domain security tool have identified some malicious file and it stops unzipping it. Thanks in advance |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We have performed the static code analysis for the unmanaged c++ dll.
It reported the below error
Error BA2004 'ts2coreD.dll' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:
Microsoft (R) Optimizing Compiler : cxx : 19.38.33136.0 : [directly linked] (TagTableVw.obj).
Hence We have updated the '/ZH:SHA_256' Additional options in Compiler settings for the source dll and also libraries it is referring to.
But still Binskim reports same error.
Could you please let me know what went wrong.
Version used - microsoft.codeanalysis.binskim.1.9.5
Visual studio - 2022 Enterprise
The text was updated successfully, but these errors were encountered: