merge from main

BuildAndTest.cmd

@@ -96,7 +96,7 @@ Exit /B %ERRORLEVEL%
 :CreatePublishPackage
 set Framework=%~1
 set RuntimeArg=%~2
-dotnet publish %~dp0src\BinSkim.Driver\BinSkim.Driver.csproj --no-restore -c %Configuration% -f %Framework% --runtime %RuntimeArg%
+dotnet publish %~dp0src\BinSkim.Driver\BinSkim.Driver.csproj --no-restore -c %Configuration% -f %Framework% --runtime %RuntimeArg% --self-contained
 Exit /B %ERRORLEVEL%
 
 :ExitFailed

ReleaseHistory.md

@@ -16,24 +16,31 @@
 - NEW => new feature 
 
 ## UNRELEASED
+* DEP: Remove `Microsoft.CodeAnalysis`. [#934](https://github.com/microsoft/binskim/pull/934)
+* DEP: Remove `Microsoft.CodeAnalysis.NetAnalyzers`. [#934](https://github.com/microsoft/binskim/pull/934)
+* DEP: Update `ELFSharp` package from 2.17.1 to 2.17.2. [#930](https://github.com/microsoft/binskim/pull/930)
+* DEP: Update `System.Reflection.Metadata` package from 7.0.0 to 7.0.2. [#930](https://github.com/microsoft/binskim/pull/930)
+* DEP: Update `Newtonsoft.Json` package from 13.0.1 to 13.0.3. [#930](https://github.com/microsoft/binskim/pull/930)
+* DEP: Update Sarif.Sdk submodule from [bc8cb57 to dd8b7b8](https://github.com/microsoft/sarif-sdk/compare/bc8cb57...dd8b7b8). Full [SARIF SDK Release History](https://github.com/microsoft/sarif-sdk/blob/dd8b7b8/ReleaseHistory.md).
+* NR : `BA2029.EnableIntegrityCheck` ([Rule Request](https://github.com/microsoft/binskim/issues/909)) [#922](https://github.com/microsoft/binskim/pull/922)
+* BUG: `BA2004.EnableSecureSourceCodeHashing` now explicitly reports the insecure hash algorithm or that the module has no hash data present (in that circumstance). [#929](https://github.com/microsoft/binskim/pull/929)
 * BUG: Fix `System.InvalidOperationException`: `Sequence contains more than one matching element` when `--trace` is provided. [896](https://github.com/microsoft/binskim/pull/896)
 * BUG: Fix `--trace` missing supported values from SARIF SDK (`ScanTime`, `RuleScanTime`, `PeakWorkingSet`, `TargetsScanned`, `ResultsSummary`). [896](https://github.com/microsoft/binskim/pull/896)
-* DEP: Update `Microsoft.CodeAnalysis.NetAnalyzers` package from 7.0.0 to 7.0.1 to resolve build warnings. [#903](https://github.com/microsoft/binskim/pull/903)
-* DEP: Update Sarif.Sdk submodule from [bc8cb57 to dd8b7b8](https://github.com/microsoft/sarif-sdk/compare/bc8cb57...dd8b7b8). Full [SARIF SDK Release History](https://github.com/microsoft/sarif-sdk/blob/dd8b7b8/ReleaseHistory.md).
+* NEW: `BA2024.EnableSpectreMitigations` now informs user when a compiland `RawCommandLine` value is missing and the rule is therefore not able to determine if `/Qspectre` is specified. [#933](https://github.com/microsoft/binskim/pull/933)
 
 ## **v4.1.0**
-* NEW: `CompilerInformation` telemetry now emits the last modified date of the scan target. [#873](https://github.com/microsoft/binskim/pull/873)
-* NEW: `CompilerInformation` telemetry now emits the last modified date of the PDB associated with the analyzed binary. [#871](https://github.com/microsoft/binskim/pull/871)
 * DEP: Update Sarif.Sdk submodule from [120fae3 to bc8cb57](https://github.com/microsoft/sarif-sdk/compare/120fae3...bc8cb57). Full [SARIF SDK Release History](https://github.com/microsoft/sarif-sdk/blob/bc8cb57/ReleaseHistory.md).
 * DEP: Upgrade ELFSharp from 2.16.1 to 2.17.1. [#872](https://github.com/microsoft/binskim/pull/872)
 * BRK: Remove `--verbose` command-line option (in favor of `--level` and `--kind`). [#853](https://github.com/microsoft/binskim/pull/853)
 * BRK: Remove `--hashes` command-line option (in favor of `--insert Hashes`). [#853](https://github.com/microsoft/binskim/pull/853)
+* FPS: Fix false positive for rule `BA2024.EnableSpectreMitigations` incorrectly flags compilation units using debug runtime (which are not Spectre-mitigated by design). [887](https://github.com/microsoft/binskim/pull/887)
 * BUG: Fix `BA2004.EnableSecureSourceCodeHashing` to report the actual broken hash algorithm (rather than always reporting SHA-1). [#868](https://github.com/microsoft/binskim/pull/868)
 * BUG: Fix `BA2022.SignSecurely` unhandled `InvalidOperationException`: `Unrecognized crypto HRESULT: 0x80096011`, which is `TRUST_E_MALFORMED_SIGNATURE`, by refreshing `CryptoError` enum with latest data from Windows SDK for Windows 11 (10.0.22621.0). [850](https://github.com/microsoft/binskim/pull/850)
 * BUG: Probe local symbols directory for PDBs in all code paths. [828](https://github.com/microsoft/binskim/pull/828)
 * BUG: Add missing output in PDB load tracing (enabled by `--trace PdbLoad`. [828](https://github.com/microsoft/binskim/pull/828)
 * BUG: Provide additional note for `BA2025.EnableShadowStack` that enabling it with older versions of .NET (.NET 6 or earlier) may cause the process to crash. [874](https://github.com/microsoft/binskim/pull/874)
-* FPS: Fix false positive for rule `BA2024.EnableSpectreMitigations` incorrectly flags compilation units using debug runtime (which are not Spectre-mitigated by design). [887](https://github.com/microsoft/binskim/pull/887)
+* NEW: `CompilerInformation` telemetry now emits the last modified date of the scan target. [#873](https://github.com/microsoft/binskim/pull/873)
+* NEW: `CompilerInformation` telemetry now emits the last modified date of the PDB associated with the analyzed binary. [#871](https://github.com/microsoft/binskim/pull/871)
 
 ## **v4.0.0**
 * DEP: Update Sarif.Sdk submodule from [fc9a9df to 2d52c53](https://github.com/microsoft/sarif-sdk/compare/fc9a9df...2d52c53). Full [SARIF SDK Release History](https://github.com/microsoft/sarif-sdk/blob/2d52c53/ReleaseHistory.md).

ado-build.yml

@@ -1,51 +1,87 @@
 pr:
-- '*'
+  - "*"
 
 jobs:
-- job: linux
-  pool:
-    vmImage: 'ubuntu-20.04'
-  steps:
-  - checkout: self
-    submodules: true
-
-  - task: Bash@3
-    displayName: 'Build and Test'
-    inputs:
-      filePath: 'BuildAndTest.sh'
-      failOnStderr: true
-
-- job: windows
-  pool:
-    vmImage: 'windows-latest'
-  steps:
-  - checkout: self
-    submodules: true
-
-  - task: CmdLine@2
-    displayName: 'Build and Test'
-    inputs:
-      script: 'BuildAndTest.cmd'
-
-  - task: ComponentGovernanceComponentDetection@0
-    inputs:
-      ignoreDirectories: 'src\sarif-sdk'
-
-- job: mac
-  pool:
-    vmImage: 'macOS-latest'
-  steps:
-  - checkout: self
-    submodules: true
-
-  - task: Bash@3
-    displayName: 'Build and Test'
-    inputs:
-      filePath: 'BuildAndTest.sh'
-      failOnStderr: true
-
-  - task: Bash@3
-    displayName: 'Run BinSkim'
-    inputs:
-      targetType: 'inline'
-      script: 'dotnet bld/bin/x64_Release/netcoreapp3.1/binskim.dll analyze src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/macho.*'
+  - job: linux
+    pool:
+      vmImage: "ubuntu-20.04"
+    steps:
+      - task: UseDotNet@2
+        displayName: .NET Core 3.1 sdk
+        inputs:
+          version: "3.1.x"
+          packageType: sdk
+
+      - task: UseDotNet@2
+        displayName: .NET Core 6.0 sdk
+        inputs:
+          version: "6.0.x"
+          packageType: sdk
+
+      - checkout: self
+        submodules: true
+
+      - task: Bash@3
+        displayName: "Build and Test"
+        inputs:
+          filePath: "BuildAndTest.sh"
+          failOnStderr: true
+
+  - job: windows
+    pool:
+      vmImage: "windows-latest"
+    steps:
+      - task: UseDotNet@2
+        displayName: .NET Core 3.1 sdk
+        inputs:
+          version: "3.1.x"
+          packageType: sdk
+
+      - task: UseDotNet@2
+        displayName: .NET Core 6.0 sdk
+        inputs:
+          version: "6.0.x"
+          packageType: sdk
+
+      - checkout: self
+        submodules: true
+
+      - task: CmdLine@2
+        displayName: "Build and Test"
+        inputs:
+          script: "BuildAndTest.cmd"
+
+      - task: ComponentGovernanceComponentDetection@0
+        inputs:
+          ignoreDirectories: 'src\sarif-sdk'
+
+  - job: mac
+    pool:
+      vmImage: "macOS-latest"
+    steps:
+      - task: UseDotNet@2
+        displayName: .NET Core 3.1 sdk
+        inputs:
+          version: "3.1.x"
+          packageType: sdk
+
+      - task: UseDotNet@2
+        displayName: .NET Core 6.0 sdk
+        inputs:
+          version: "6.0.x"
+          packageType: sdk
+
+      - checkout: self
+        submodules: true
+
+      - task: Bash@3
+        displayName: "Build and Test"
+        inputs:
+          filePath: "BuildAndTest.sh"
+          failOnStderr: true
+
+      - task: Bash@3
+        displayName: "Run BinSkim"
+        inputs:
+          targetType: "inline"
+          script: "dotnet bld/bin/x64_Release/netcoreapp3.1/binskim.dll analyze src/Test.FunctionalTests.BinSkim.Driver/BaselineTestData/macho.*"

docs/BinSkimRules.md

@@ -817,6 +817,14 @@ Application code should be compiled with the Spectre mitigations switch (/Qspect
 '{0}' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or specify <SpectreMitigation>Spectre</SpectreMitigation> in build properties), or pass /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre. This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
 {1}
 
+#### `WarningMissingCommandLine`: Warning
+
+{0}' was compiled with one or more modules with a toolset that supports /Qspectre but a compiland `RawCommandLine` value is missing and the rule is therefore not able to determine if `/Qspectre` is specified. The likely cause is that the code was linked to a static library with no debug information.  It is not known whether code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities was enabled. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, ensure that the compiler command line is present (provide the /Z7 switch) and provide the /Qspectre switch on the compiler command-line (or specify <SpectreMitigation>Spectre</SpectreMitigation> in build properties), or pass /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre. This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request.
+
+#### `SpectreMitigationUnknownNoCommandLine`: Warning
+
+The following modules were compiled with a toolset that supports /Qspectre but a compiland `RawCommandLine` value is missing and the rule is therefore not able to determine if `/Qspectre` is specified. The likely cause is that the code was linked to a static library with no debug information: {0}
+
 #### `OptimizationsDisabled`: Warning
 
 The following modules were compiled with optimizations disabled (/Od), a condition that disables Spectre mitigations:
@@ -904,6 +912,28 @@ The PDB for '{0}' does not contain SourceLink information, compromising friction
 
 ---
 
+## Rule `BA2029.EnableIntegrityCheck`
+
+### Description
+
+Binaries that are loaded by certain Windows features must (and device drivers should) opt into Windows validation of their digital signatures by setting the /INTEGRITYCHECK linker flag. This option sets the IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY attribute in the PE header of binaries which tells the memory manager to validate a binary's digital signature when loaded. Any user mode code that is interfacing with Early Launch Antimalware (ELAM) drivers, integrates with device firmware execution or is trying to load into protected process lite space must enable /INTEGRITYCHECK. This feature applies to both 32-but and 64-bit files. Binaries that opt into /INTEGRITYCHECK must be signed using the Microsoft Azure Code Signing program.
+
+### Messages
+
+#### `Pass`: Pass
+
+'{0}' was compiled with /INTEGRITYCHECK and will therefore have its digital signature validated at load time when executing in sensitive Windows runtime environments.
+
+#### `Error`: Error
+
+'{0}' was not compiled with /INTEGRITYCHECK and therefore will not have its digital signature validated at load time. Failing to validate binary signatures increases the risk of loading malicious code in low-level, high-privilege execution environments, including subsystems that provide critical security malware protections. To resolve this problem, pass '/INTEGRITYCHECK' on the linker command line and sign your files using the Microsoft Azure Code Signing program.
+
+#### `InvalidMetadata`: NotApplicable
+
+'{0}' was not evaluated for check '{1}' as the analysis is not relevant based on observed metadata: {2}.
+
+---
+
 ## Rule `BA4001.ReportPECompilerData`
 
 ### Description

docs/FunctionalTestBuildScripts.md

@@ -204,6 +204,13 @@ The Visual Studio 2022 "empty console application" template, compiled as Release
 
 The Visual Studio 2022 "empty console application" template, compiled as Release|x64.  The `/incremental:no` option disables incremental linking explicitly.  The `/ltcg` and `/gl` options are disabled explicitly.
 
+## Native_x64_VS2022_[Console/KernelModeDriver/UserModeDriver]_IntegrityCheck_[variant].[exe/sys/dll]
+
+The Visual Studio 2022 default C++ Console/KernelModeDriver/UserModeDriver template, compiled as Release|x64. In linker command line,  
+_Yes: `/INTEGRITYCHECK`  
+_Default: without the flag  
+_Yes_Manual_FORCE_INTEGRITY: `/INTEGRITYCHECK` and then use tool to Manually set `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY` flag to true
+
 ## Native_x64_VS2022_PDBPageSize_8192.exe
 
 The Visual Studio 2022 "empty console application" template, compiled as Debug|x64.  The `/PDBPageSize:8192` linker option set page size to 8192.

src/BinSkim.Driver/BinSkim.Driver.csproj

@@ -28,11 +28,10 @@
 
   <ItemGroup>
     <PackageReference Include="CommandLineParser" Version="2.9.1" />
-    <PackageReference Include="Microsoft.CodeAnalysis" Version="4.4.0" />
-    <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.3" />
     <PackageReference Include="System.Collections.Immutable" Version="7.0.0" />
     <PackageReference Include="System.Private.Uri" Version="4.3.2" />
-    <PackageReference Include="System.Reflection.Metadata" Version="7.0.0" />
+    <PackageReference Include="System.Reflection.Metadata" Version="7.0.2" />
   </ItemGroup>
 
   <ItemGroup>

src/BinSkim.Driver/DriverUtilities.cs

@@ -28,7 +28,7 @@ private static CompositionHost CreateCompositionContainer<T>(IEnumerable<Assembl
         {
             ConventionBuilder conventions = GetConventions<T>();
 
-            assemblies = assemblies ?? new Assembly[] { typeof(DoNotShipVulnerableBinaries).Assembly };
+            assemblies ??= new Assembly[] { typeof(DoNotShipVulnerableBinaries).Assembly };
 
             return new ContainerConfiguration()
                 .WithAssemblies(assemblies, conventions)