Comments (3)
If this PR would resolve an error like the following, then I would definitely appreciate such a change:
error BA2004: 'file.dll' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: Microsoft (R) Optimizing Compiler : cxx : 19.37.32824.0 : [directly linked] (.NETFramework,Version=v4.8.AssemblyAttributes.obj)
from binskim.
@michaelcfanning let me know your thoughts.
from binskim.
I'm produced the error with both Microsoft Visual Studio Professional 2022 (64-bit) / 17.6.3 and with 17.7.6. Also updated to latest MSVC v143/v14.37.-17.7. Even with these updates, binskim is reporting the BA2004 error.
The .vcxproj is building a C++/CLI DLL. Visual Studio and project are generating the .NETFramework,Version=v4.8.AssemblyAttributes.cpp file in the obj directory, where the .NETFramework,Version=v4.8.AssemblyAttributes.obj also appears.
file.dll: error BA2004: 'file.dll' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy:
Microsoft (R) Optimizing Compiler : cxx : 19.37.32825.0 : [directly linked] (.NETFramework,Version=v4.8.AssemblyAttributes.obj)
from binskim.
Related Issues (20)
- BA2024 - Defect : EnableSpectreMitigations HOT 2
- Is it true that I can pass an input file list? HOT 3
- SpectreMitigationsEnabled
- Guardian: PostAnalysis error [ EnableCriticalCompilerWarning] HOT 1
- Combability with .NET ReadyToRun and Self-Contained HOT 3
- BA2026 is reported as NotApplicable for native PE binaries compiled with /sdl switch
- BA2025, /CETCOMPAT and .NET Framework
- Users not able to know which file causes issue when exception loading pdb
- BA2004 - Should exclude "AssemblyAttributes.obj"
- BinSkim download from symbol server not working
- Unclear Error message when the path of the file too long
- Enabling disabled rules
- BinSkim BA2014 compatibility with the new Arm64EC files
- BinSkim BA2021 compatibility with R2R Linux binaries
- Put evidence of MSVC ASAN utilization in telemetry stream
- [RULE REQUEST] Check for the import of outdated (end-of-life) Visual C++ redistributable DLLs
- Special-case compiler generated `dummy.obj` file that fires `BA2004` HOT 1
- Whether to suppress ‘PDB not found’ errors for stub .exe that invokes the .net core entry point
- Introducing an alternative to Binskim: Binary Valentine (with GUI)
- --ignorePdbLoadError behavior changed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from binskim.