Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preparing v1.9.0-prerelease1 #411

Merged
merged 5 commits into from
Jul 28, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions CreatePackagesFromLayoutDirectory.cmd
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ if "%ERRORLEVEL%" NEQ "0" (echo %1 assembly copy failed. && goto :ExeFilesExit)
Exit /B %ERRORLEVEL%

:CopyFilesForMultitargeting
xcopy /Y %BinaryOutputDirectory%\netcoreapp3.1\win-x64\%~n1.dll %LayoutForSigningDirectory%\netcoreapp3.1\win-x64\
xcopy /Y %LayoutForSigningDirectory%\netcoreapp3.1\win-x64\%~n1.dll %BinaryOutputDirectory%\netcoreapp3.1\win-x64\
if "%ERRORLEVEL%" NEQ "0" (echo %1 assembly copy failed. && goto :CopyFilesExit)
xcopy /Y %BinaryOutputDirectory%\netcoreapp3.1\linux-x64\%~n1.dll %LayoutForSigningDirectory%\netcoreapp3.1\linux-x64\
xcopy /Y %LayoutForSigningDirectory%\netcoreapp3.1\linux-x64\%~n1.dll %BinaryOutputDirectory%\netcoreapp3.1\linux-x64\
if "%ERRORLEVEL%" NEQ "0" (echo %1 assembly copy failed. && goto :CopyFilesExit)
:CopyFilesExit
Exit /B %ERRORLEVEL%
Expand Down
8 changes: 4 additions & 4 deletions SetCurrentVersion.cmd
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
set MAJOR_PREVIOUS=1
set MINOR_PREVIOUS=7
set PATCH_PREVIOUS=5
set PRERELEASE_PREVIOUS=-prerelease1
set PRERELEASE_PREVIOUS=

set MAJOR=1
set MINOR=7
set PATCH=5
set PRERELEASE=
set MINOR=9
set PATCH=0
set PRERELEASE=-prerelease1
16 changes: 8 additions & 8 deletions docs/UserGuide.md
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ binskim analyze *.dll --output MyLog.sarif

| Command Type | Description |
| ------------ | ----------- |
| **General** | <p>General BinSkim help message. Displays all built-in commands (e.g. help, analyze and capture) for which more detailed help can be requested</p><p>`binskim.exe --help`</p> |
| **General** | General BinSkim help message. Displays all built-in commands (e.g. help, analyze and capture) for which more detailed help can be requested `binskim.exe --help` |
| **Detailed** | <p>Specific commands. Structure looks like this: `binskim.exe help [command]`</p><ul><li>`binskim.exe help analyze`</li><li>`binskim.exe help exportRules`</li><li>`binskim.exe help exportConfig`</li><li>`binskim.exe help dump`</li><li>`binskim.exe help version`</li></ul> |

### Analyze Command
Expand All @@ -55,6 +55,7 @@ The **`analyze`** command supports the following additional arguments:
| **`--rich-return-code`** | Output a more detailed exit code consisting of a series of flags about execution, rather than outputting '0' for success/'1' for failure (see codes below) |
| **`--level`** | Filter output of scan results to one or more failure levels. Valid values: Error, Warning and Note. |
| **`--kind`** | Filter output one or more result kinds. Valid values: Fail (for literal scan results), Pass, Review, Open, NotApplicable and Informational. |
| **`--baseline`** | A Sarif file to be used as baseline. |
| **`-v, --sarif-output-version`** | (Default: Current) The SARIF version of the output log file. Valid values are OneZeroZero and Current |

In addition to the named arguments above, BinSkim accepts one or more specifiers to a file, directory, or filter pattern that resolves to one or more binaries to analyze. Arguments can include wild cards, relative paths (in which case the file or directory path is resolved relative to the current working directory), and environment variables.
Expand All @@ -71,7 +72,7 @@ When BinSkim cannot properly load a PDB, because it is missing, corrupted, etc.,

The following table lists all BinSkim rules by ID and Name, detailing specific PDB information examined during analysis. Generally, each of these checks also inspects each object module language in order to restrict analysis to Microsoft C/C++ compilers.

| ID | Name | Data Examined |
| ID | Name | Data Examined |
| -- | ---- | ------------- |
| **BA2002** | `DoNotIncorporateVulnerableDependencies` | Source files for all linked object modules |
| **BA2006** | `BuildWithSecureTools` | Compiler version of all linked object modules |
Expand All @@ -80,8 +81,7 @@ The following table lists all BinSkim rules by ID and Name, detailing specific P
| **BA2013** | `InitializeStackProtection` | Scans PDB for /GS feature function name |
| **BA2014** | `DoNotDisableStackProtectionForFunctions` | `IDiaSymbol::get_isSafeBuffers` value for all binary functions |
| **BA2024** | `EnableSpectreMitigations` | Compiler version of all linked object modules |



#### --local-symbol-directories

The `--local-symbol-directories` argument configures a set of semicolon-delimited local directory paths that will be examined when attempting to locate PDBs. Provide this argument when your build system redirects PDB production to an alternate location (rather than emitting them alongside their matching binary).
Expand Down Expand Up @@ -120,13 +120,13 @@ The `--rich-return-code` argument configures BinSkim to exit with a detailed exi

Non-fatal warnings correspond to behaviors that should be expected during normal successful operation of the tool--for instance, the tool can execute successfully and still find errors.

| Name | Value | Explanation/Guidance |
| Name | Value | Explanation/Guidance |
| -- | ---- | ------------- |
| **InvalidCommandLineOption** | `0x1` | Invalid command line options were passed to BinSkim. Please check your command line options. |
| **ExceptionInSkimmerInitialize** | `0x2` | A Skimmer/Rule was unable to initialize. That rule will be disabled during this run. Please report this to the BinSkim team. |
| **ExceptionRaisedInSkimmerCanAnalyze** | `0x4` | A Skimmer/Rule encountered an exception when attempting to determine if it applied to a target file. That rule will be disabled for the remainder of the run. Please report this to the BinSkim team. |
| **ExceptionInSkimmerAnalyze** | `0x8` | An exception was raised when a skimmer attempted to analyze a file. That rule will be disabled for the remainder of the run. Please report this to the BinSkim team. |
| **ExceptionCreatingLogFile** | ` 0x10` | BinSkim was unable to write to the log file you specified on the command line. The file may already exist, or you may not have permission to write to the folder you specified. |
| **ExceptionCreatingLogFile** | `0x10` | BinSkim was unable to write to the log file you specified on the command line. The file may already exist, or you may not have permission to write to the folder you specified. |
| **ExceptionLoadingPdb** | `0x20` | BinSkim encountered an exception loading a Pdb. This can occur if a PDB is missing, or if it's malformed. Ensure that valid .PDB files are present for each PE binary you wish to scan--BinSkim cannot evaluate some of its rules if they are missing. |
| **ExceptionInEngine** | `0x40` | The BinSkim engine encountered an unexpected exception and execution could not continue. Please report this to the BinSkim team. |
| **ExceptionLoadingTargetFile** | `0x80` | BinSkim failed to load/parse one of the input files. Ensure your input files are valid binaries that BinSkim can parse, and reach out to the BinSkim team if they are. |
Expand All @@ -146,7 +146,7 @@ Non-fatal warnings correspond to behaviors that should be expected during normal

This leads to these masks being helpful when determining what to do with a rich exit code:

| Name | Value | Explanation/Guidance |
| Name | Value | Explanation/Guidance |
| -- | ---- | ------------- |
| **NonFatalExitCode** | 0xF8000000 | These are the currently explicitly reserved non-fatal exit codes--they will occur during normal execution of the tool. They may be helpful for checking if the tool found any issues or similar during its execution. |
| **FatalExitCode** | 0x0000FFFF | These are all the explicitly reserved fatal exit codes--they indicate something unexpected went wrong during execution, or that a target that we expected to be able to analyze could not be fully analyzed (for example, the .PDB file was missing, or the file was incorrectly formatted). This may be helpful for checking during any tool run. |
Expand All @@ -159,4 +159,4 @@ The `-p` or `--plugin` argument is used to provide a path to a BinSkim plugin th

## BinSkim Release History

The latest version is always available on **[NuGet](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/)**. History is available on **[NuGet Release History](../src/ReleaseHistory.md)**.
The latest version is always available on **[NuGet](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/)**. History is available on **[NuGet Release History](../src/ReleaseHistory.md)**.
6 changes: 3 additions & 3 deletions src/BinaryParsers/VersionConstants.cs
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,9 @@ namespace Microsoft.CodeAnalysis.IL
{
public static class VersionConstants
{
public const string Prerelease = "";
public const string AssemblyVersion = "1.7.5" + ".0";
public const string FileVersion = "1.7.5" + ".0";
public const string Prerelease = "-prerelease1";
public const string AssemblyVersion = "1.9.0" + ".0";
public const string FileVersion = "1.9.0" + ".0";
public const string Version = AssemblyVersion + Prerelease;
}
}
55 changes: 47 additions & 8 deletions src/ReleaseHistory.md
Original file line number Diff line number Diff line change
@@ -1,45 +1,66 @@
# BinSkim Release History

## **Unreleased**
## **v1.9.0-prerelease1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.9.0-prerelease1)

## **v2.0.0** In progress (probably May/June 2021)
* BREAKING: Change from self-contained to dotnettool.

## **v1.8.0-prerelease1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.8.0-prerelease1)
* FEATURE: Add BA3011.EnableBindNow. [#363](https://github.com/microsoft/binskim/pull/363)
* FEATURE: Add BA2025.EnableShadowStack. [#376](https://github.com/microsoft/binskim/pull/376)
* FEATURE: Add BA3005.EnableStackClashProtection. [#379](https://github.com/microsoft/binskim/pull/379)
* BUGFIX: Force load PDB. [#380](https://github.com/microsoft/binskim/pull/380)
* BUGFIX: Fix BA2004 for MASM compilers. [381](https://github.com/microsoft/binskim/pull/381)
* FEATURE: Add BA3006.EnableNonExecutableStack. [#383](https://github.com/microsoft/binskim/pull/383)
* FEATURE: Add BA2026.EnableAdditionalSecurityChecks. [#388](https://github.com/microsoft/binskim/pull/388)
* FEATURE: Add BA4002.ReportDwarfCompilerData. [#394](https://github.com/microsoft/binskim/pull/394)
* BUGFIX: Fix for E_PDB_MAX error. [#399](https://github.com/microsoft/binskim/pull/399)
* BREAKING: Removing win-x86 support. [#401](https://github.com/microsoft/binskim/pull/401)
* FEATURE: Add baseline support. [#409](https://github.com/microsoft/binskim/pull/409)
* BUGFIX: Fix exception when the PDB is embedded. [#410](https://github.com/microsoft/binskim/pull/410)

## **v1.7.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.5)

* BUGFIX: Fix import/export config using JSON file. [#349](https://github.com/microsoft/binskim/pull/349)
* FEATURE: Add compiler report rule BA4001, which is disabled by default. [#350](https://github.com/microsoft/binskim/pull/350)
* FEATURE: Add support to specific rule documentation in `HelpUri`. [#348](https://github.com/microsoft/binskim/pull/348)

## **v1.7.5-prerelease1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.5-prerelease1)

* BUGFIX: Fix import/export config using JSON file. [#349](https://github.com/microsoft/binskim/pull/349)
* FEATURE: Add compiler report rule BA4001, which is disabled by default. [#350](https://github.com/microsoft/binskim/pull/350)
* FEATURE: Add support to specific rule documentation in `HelpUri`. [#348](https://github.com/microsoft/binskim/pull/348)

## **v1.7.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.4)

* BREAKING: Adding `--verbose` as obsolete which translate to `--level` and `--kind`. [#347](https://github.com/microsoft/binskim/pull/347)

## **v1.7.3** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.3)

* FEATURE: Update SARIF version to latest (using submodule). [#325](https://github.com/microsoft/binskim/pull/325)
* FEATURE: Add BA2004.EnableSecureSourceCodeHashing. [#320](https://github.com/microsoft/binskim/pull/320)
* BREAKING: Replace `--verbose` for `--level` and `--kind`. [#339](https://github.com/microsoft/binskim/pull/339)
* BUGFIX: Fix net5 handling. [#345](https://github.com/microsoft/binskim/pull/345)

## **v1.7.2** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.2)

* BREAKING: Revert dotnet-tool. [#316](https://github.com/microsoft/binskim/pull/316)

## **v1.7.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.1)

* BREAKING: Change from self-contained to dotnettool. [#306](https://github.com/microsoft/binskim/pull/306)
* BUG FIX: Fix issue when analyze `SingleFilePublish` files. [#311](https://github.com/microsoft/binskim/pull/311)

## **v1.7.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.7.0)
* AUTOMATION BREAKING: Update to .NET Core 3.1. Changes tool paths in NuGet package.

* AUTOMATION BREAKING: Update to .NET Core 3.1. Changes tool paths in NuGet package.
* FEATURE: Add `--trace` argument to enable specialized trace of execution behavior, such as `PdbLoad`.
* FEATURE: Update SARIF version to 2.3.8
* BREAKING** Default output is sarif v2

## **v1.6.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.1)

* DOC FIX: Correct reporting to reflect that /guard:cf is case-sensitive for the compiler. Contributed by [@JacksonText](https://github.com/JacksonTech)
* BUG FIX: Fix ExceptionRaisedInSkimmerCanAnalyze null dereference exception for binaries without PDBs. [#265](https://github.com/microsoft/binskim/issues/265)

## **v1.6.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0)

* FEATURE: Update to final SARIF v2 (version 2.1.16). This enables results caching when passing --hashes on the command-line, a significant performance improvement when recursively analyzing directories with multiple copies of scan targets.
* BUG FIX: Fix typo in BA2021.DoNotMarkWritableSectionsAsExecutable output.
* PERFORMANCE: Eliminate PDB loading for all non-mixed-mode for managed assemblies, including IL Library (ahead of time compiled) binaries.
Expand All @@ -48,58 +69,71 @@
* FALSE POSITIVE FIX: Skip PDB-driven analysis for the generated .NET core native bootstrap exe (which is not user-controllable code).

## **v1.6.0-beta.3** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0-beta.3)

* Drop Spectre analysis to warning

## **v1.6.0-beta.2** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0-beta.2)

* Fix Linux NuGet packaging to include BinSkim executable missing in 1.6.0-beta.1
* Update to pre-release SARIF v2 output format (sarif-2.0.0-csd.2.beta.2019-01-24)
* Provide for SARIF v1 or v2 file format export. Default is v1 until SARIF v2 is final.

## **v1.6.0-beta.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.6.0-beta.1)

* Breaking** Output is now Sarif V2-CSD1 compliant rather than Sarif V1

## **v1.5.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.5.1)

* Fix Linux NuGet packaging to include BinSkim executable missing in 1.5.0.

## **v1.5.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.5.0)

* Cross platform (Windows/Linux) support.
* Possibly Breaking:** New Results: Identify and fire configuration errors when located PDBs are stripped
* Possibly Breaking:** New Results: False negative removed for BA2015.EnableHighEntropyVA: Correctly flags an AnyCPU binary with HighEntropyVA and Prefer32Bit disabled
* Possibly Breaking:** New Rules: New rules for ELF Binaries (BA3001.EnablePieOnExecutables, BA3002.DoNotMarkStackAsExecutable, BA3003.EnableStackProtector, BA3010.EnableReadOnlyRelocations, and BA3030.UseCheckedFunctionsWithGcc)
* Possibly Breaking:** New Rules: Provide preliminary BA2024.EnableSpectreMitigations analysis

## **v1.4.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.5)

* Correct signing check pass message to reflect actual analysis
* Sign all BinSkim binaries

## **v1.4.4** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.4)

* Do not fire BA2001.LoadImageAboveFourGigabyteAddressId for ILOnly 64-bit assemblies

## **v1.4.3** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.3)

* Fix rich return code return functionality when core command-line parsing breaks
* Export configuration knob to adjust EnableControlFlowGuard linker version check
* Loosen SignSecurely rule to prevent errors on WinTrustVerify errors CERT_E_UNTRUSTEDROOT and CERT_E_CHAINING

## **v1.4.2** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.2)

* Add 'rich' return code (a bitfield value of observed runtime conditions) via SARIF SDK --rich-return-code arg

## **v1.4.1** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.1)

* Add response file support
* Add __vcrt_trace_logging_provider::_TlgWrite exception to BA2014.DoNotDisableStackProtectionForFunctions

## **v1.4.0** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.4.0)

* Fix rule crash on firing 'not applicable' message for control flow guard check
* Add BinScope readable rule name information to SARIF log file output
* Fix reporting errors when flagging binaries signed with weak cryptogrphic algorithms
* Drop required compiler tools version to 17.0.65501.17013
* Make minimum required linker configurable for EnableControlFlowGuard check

## **v1.3.9** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.9)

* Fix false positives of BA2008:EnableControlFlowGuard firing on x86 kernel mode binaries
* Eliminate high-entropy VA analysis for binaries with no entry points
* Update various checks to eliminate noise analyzing boot binaries

## **v1.3.8** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.8)

* Update Sarif dependency to 1.5.40
* --config argument is now optional
* Fix false positives of BA2008:EnableControlFlowGuard firing against MC++ mixed mode binaries
Expand All @@ -108,20 +142,25 @@
* Eliminated compiler tool version false positives for Intel compiler and MASM

## **v1.3.7** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.7)

* Update Sarif dependency to 1.5.38
* More incidental reporting improvements

## **v1.3.6** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.6)

* Update Sarif dependency to 1.5.36
* Improves output in error cases

## **v1.3.5** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.5)

* Fix false positives in 'sign securely' analysis for multi-signed binaries
* Eliminate noise in stack protection analysis against .NET native binaries
* Update Sarif dependency to 1.5.28

## **v1.3.4-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.4-beta)
## **v1.3.4-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.4-beta)

* Force load PDBs in some circumstances where they have failed to do so

## **v1.3.3-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.3-beta)
## **v1.3.3-beta** [NuGet Package](https://www.nuget.org/packages/Microsoft.CodeAnalysis.BinSkim/1.3.3-beta)

* Update Sarif dependency to Sarif SDK/Driver 1.5.22-beta (Sarif JSON format 1.0.0)
4 changes: 0 additions & 4 deletions src/build.common.props
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,6 @@
<DefineConstants>TRACE</DefineConstants>
</PropertyGroup>

<PropertyGroup Condition="'$(Platform)' == 'x86'">
<PlatformTarget>x86</PlatformTarget>
</PropertyGroup>

<PropertyGroup Condition="'$(Platform)' == 'x64'">
<PlatformTarget>x64</PlatformTarget>
</PropertyGroup>
Expand Down