Skip to content

Latest commit

 

History

History
272 lines (230 loc) · 25.8 KB

ReleaseHistory.md

File metadata and controls

272 lines (230 loc) · 25.8 KB

BinSkim Release History

Definitions

  • NR => new rule
  • PRF => performance work
  • FCR => fingerprint change or refactor
  • RRR => rule rename or refactor
  • FPC => regex candidate reduction
  • FNC => regex candidate increase
  • FPS => FP reduction in static analysis
  • FNS => false negative reduction in static analysis
  • FPD => FP reduction in dynamic phase
  • FND => False negative reduction in dynamic phase
  • UER => eliminate unhandled exceptions in rules
  • UEE => eliminate unhandled exceptions in engine
  • DEP => upgrade dependency versions
  • NEW => new feature

UNRELEASED

  • DEP: Update msdia140.dll from 14.40.33810.0 to 14.40.33812. 1000
  • BUG: Fix TryGetPortablePdbMetadataReader unexpectedly causes UnauthorizedAccessException error when the PDB file is missing. 1004
  • BUG: Fork telemetry to log always to Console and AppInsights in the same time when Error occur. 1002

v4.3.0

  • DEP: Update msdia140.dll from 14.36.32532.0 to 14.40.33810.0. This update fixes the System.AccessViolationException: Attempted to read or write protected memory exception that occurs when reading certain PDB files. 996
  • BRK: Temporarily disable performance rules due to a bug in latest msdia140.dll: BA6001.DisableIncrementalLinkingInReleaseBuilds, BA6002.EliminateDuplicateStrings, BA6004.EnableCOMDATFolding, BA6005.EnableOptimizeReferences and BA6006.EnableLinkTimeCodeGeneration. 996

v4.2.2

  • DEP: Update Sarif.Sdk submodule from bc8cb57 to 9e95888. Reference SARIF SDK Release History.
  • BUG: Fix BA2027.EnableSourceLink unexpectedly causes ExceptionLoadingPdb error when the PDB file is missing. 988.
  • BUG: Exclude system-generated files AssemblyAttributes.obj, AssemblyInfo.obj, stdafx.obj from BA2004.EnableSecureSourceCodeHashing. 989.
  • BUG: Fix ERR998.ExceptionInAnalyze: InvalidOperationException: Unrecognized crypto HRESULT: 0x80096011 for check BA2022.SignSecurely when the signature is malformed, by adding missing error code to error description mappings. 969
  • NEW: BA4002.ReportElfOrMachoCompilerData, which collects telemetry data for Elf and Macho files, is now enabled by default.
  • NEW: Add --disable-telemetry argument to disable telemetry collection.
  • FPS: BA2004.EnableSecureSourceCodeHashing will now no longer generate false positives for Universal Windows Platform (UWP) app regarding dummy.obj. #976

v4.2.1

  • FPS: BA2004.EnableSecureSourceCodeHashing now will no longer generate false positives on precompiled headers, they are always without hash. #965

v4.2.0

  • DEP: Remove Microsoft.CodeAnalysis. #934
  • DEP: Remove Microsoft.CodeAnalysis.NetAnalyzers. #934
  • DEP: Update msdia140.dll from 14.32.31326.0 to 14.36.32532.0. 936
  • DEP: Update symsrv.dll from 10.0.10150.0 to 10.0.22621.755. 936
  • DEP: Update ELFSharp package from 2.17.1 to 2.17.2. #930
  • DEP: Update System.Reflection.Metadata package from 7.0.0 to 7.0.2. #930
  • DEP: Update Newtonsoft.Json package from 13.0.1 to 13.0.3. #930
  • NR : BA2029.EnableIntegrityCheck (Rule Request) #922
  • BUG: BA2004.EnableSecureSourceCodeHashing now explicitly reports the insecure hash algorithm or that the module has no hash data present (in that circumstance). #929
  • BUG: Fix System.InvalidOperationException: Sequence contains more than one matching element when --trace is provided. 896
  • BUG: Fix --trace missing supported values from SARIF SDK (ScanTime, RuleScanTime, PeakWorkingSet, TargetsScanned, ResultsSummary). 896
  • BUG: Temporarily restore command-line option --hashes and --statistics as obsolete for compatibility reasons. Please do not use them as they will be removed in future releases. 945
  • BUG: Fix --quiet, --recurse, --rich-return-code, --ignorePdbLoadError and --environment not working without explicitly adding true. 946
  • NEW: BA2024.EnableSpectreMitigations now informs user when a compiland RawCommandLine value is missing and the rule is therefore not able to determine if /Qspectre is specified. #933
  • NEW: Add IncludeWixBinaries option when using config file, to include Wix binaries in the analysis. #944
  • NEW: Support SymbolPath, LocalSymbolDirectories, IgnorePdbLoadError option when using config file, in addtion to passing as command line parameters. #944

v4.1.0

  • DEP: Update Sarif.Sdk submodule from 120fae3 to bc8cb57. Reference SARIF SDK Release History.
  • DEP: Upgrade ELFSharp from 2.16.1 to 2.17.1. #872
  • BRK: Remove --verbose command-line option (in favor of --level and --kind). #853
  • BRK: Remove --hashes command-line option (in favor of --insert Hashes). #853
  • FPS: Fix false positive for rule BA2024.EnableSpectreMitigations incorrectly flags compilation units using debug runtime (which are not Spectre-mitigated by design). 887
  • BUG: Fix BA2004.EnableSecureSourceCodeHashing to report the actual broken hash algorithm (rather than always reporting SHA-1). #868
  • BUG: Fix BA2022.SignSecurely unhandled InvalidOperationException: Unrecognized crypto HRESULT: 0x80096011, which is TRUST_E_MALFORMED_SIGNATURE, by refreshing CryptoError enum with latest data from Windows SDK for Windows 11 (10.0.22621.0). 850
  • BUG: Probe local symbols directory for PDBs in all code paths. 828
  • BUG: Add missing output in PDB load tracing (enabled by --trace PdbLoad. 828
  • BUG: Provide additional note for BA2025.EnableShadowStack that enabling it with older versions of .NET (.NET 6 or earlier) may cause the process to crash. 874
  • NEW: CompilerInformation telemetry now emits the last modified date of the scan target. #873
  • NEW: CompilerInformation telemetry now emits the last modified date of the PDB associated with the analyzed binary. #871

v4.0.0

  • DEP: Update Sarif.Sdk submodule from fc9a9df to 2d52c53. Reference SARIF SDK Release History.
  • DEP: Upgrade Elfsharp.2.16.0 to Elfsharp.2.16.1#791
  • DEP: Upgrade BinSkim to .net6.0 as .net core 3.1 reached end of support on 12/13/2022.
  • DEP: Upgrade Newtonsoft.JSON package to 13.0.2 to resolve security alert.
  • BRK: Removed SARIF 1.0 support from BinSkim. Now option -v | --sarif-output-version does not accept value OneZeroZero. 719
  • FPR: Eliminate BA3003.EnableStackProtector false positives when the target is statically linked. 744
  • UER: fix ERR997.ExceptionLoadingAnalysisTarget : Could not load analysis target errors analyzing *nix binary resulting from failure to properly parse DWARF debug information.
  • NR : Introduce first performance rule BA6001.DisableIncrementalLinkingInReleaseBuilds #667
  • NR : Introduce more performance rules BA6002.EliminateDuplicateStrings, BA6004.EnableCOMDATFolding, BA6005.EnableOptimizeReferences, BA6006.EnableLinkTimeCodeGeneration #691
  • FPR: Eliminate BA2015.EnableHighEntropyVirtualAddresses false positives for some 32-bit exes. #721
  • PRF: Fix over-aggressive parsing of DWARF compilation units even when all related rules are disabled. 774
  • BUG: Fix unhandled ArgumentException in Enum.TryParse on passing PdbLoad value to --trace command-line argument. 821
  • BUG: Fix error ERR997.ExceptionLoadingPdb : '[filename]' was not evaluated because its PDB could not be loaded (E_PDB_NOT_FOUND). when reading PE file built with PDBPageSize:8192 or greater, by upgrading msdia140.dll from 14.27.28826.96 to 14.32.31326.0. 685
  • BUG: Eliminate BA2004.EnableSecureSourceCodeHashing false positives to Windows Runtime components (resulting from references to Win RT API metadata files).
  • BUG: Probe local symbols directory for PDBs in all code paths. 828
  • BUG: Add missing output in PDB load tracing (enabled by --trace PdbLoad. 828
  • BUG: Fix unhandled ArgumentException in Enum.TryParse on passing PdbLoad value to --trace command-line argument. 821
  • BUG: Fix assertion failed with no clue when TargetFileSpecifiers is null or empty for BinSkim analyze.763
  • BUG: Fix command line parameter in documents: -Wl,z,relro with -Wl,-z,relro, and -Wl,z,now with -Wl,-z,now. 736
  • NEW: Raw command line passed to the linker now exposed on ObjectModuleDetail instances. #708
  • NEW: Add BA3031.EnableClangSafeStack, rename BA3030.UseCheckedFunctionsWithGcc to BA3030.UseGccCheckedFunctions #663
  • DEP: Upgrade ELFSharp from 2.14.0 to 2.15.0. #631
  • DEP: Upgrade System.Reflection.Metadata from 5.0.0 to 6.0.1 and System.Collections.Immutable from 5.0.0 to 6.0.0. #605
  • DEP: Update Sarif.Sdk submodule from 4e9f606 to fc9a9df. Reference SARIF SDK Release History.
  • NEW: Enable BinSkim for MacOS. #576
  • FPR: Skip BA2025.EnableShadowStack rule for ARM Binaries which cannot use /CETCOMPAT. #650
  • BUG: Fix missing commandLineId from CommandLineInformation event. #652
  • NEW: Add new PE CV_CFL_LANG language code for ALIASOBJ and Rust. 530
  • BRK: Rename BA2026.EnableAdditionalSdlSecurityChecks to BA2026.EnableMicrosoftCompilerSdlSwitch to clarify rule purpose. #586
  • BUG: Fix BA2014.DoNotDisableStackProtectionForFunctions to eliminate false positive reports that GsDriverEntry has disabled the stack protector. 551
  • BUG: Fix Newtonsoft.Json.JsonSerializationException when reading SARIF V1 with telemetry enabled. 613
  • BUG: Fix KeyNotFoundException exception raised by BA2006.BuildWithSecureTools when individual MinimumToolVersions properties are removed from XML configuration. #565
  • BUG: Fix BA2006.BuildWithSecureTools is not emitting the compiler list. Commit SHA 135946
  • BUG: Fix MultithreadedAnalyzeCommandBase artifacts generation and enforcing JSON properties ordering. #555
  • BUG: Fix incorrect analysis for non-Microsoft compiler on BA2006.BuildWithSecureTools. #545
  • BUG: Fix JsonSerializationException that occurs when saving SARIF v1 with telemetry enabled. #535
  • BUG: Fix NullReferenceException when --Hashes and telemetry rules are enabled. #531
  • BUG: Fix telemetry session creation. 515

v1.9.0-prerelease3 NuGet Package

  • BUG: Fix exception when collecting telemetry. 486, #487
  • NEW: Collect/Send assembly references when rule BA4001 is enabled. #493
  • NEW: Enable multithread analysis. #495
  • NEW: Package BinaryParsers project as a new nuget. #502
  • NEW: Do not return 1 when ignorePdbLoadError is enabled for PDB loading issues. #506

v1.9.0-prerelease2 NuGet Package

  • BUG: Fix exception handling when PDB cannot be loaded by IDiaDataSource. #461
  • BRK: PDB exceptions will be reported once per target. #465
  • BUG: Fix exception System.AccessViolationException caused by trying to read data out of boundary. #470
  • BUG: Include C++ runtime in the package to prevent DllNotFoundException when loading msdia140.dll. #474
  • NEW: Add dialects to the reporting rules. #475
  • BUG: Change compiler report rule to report all modules in file. #476
  • BUG: Fix exception System.ArgumentException when checking file format. #481
  • BUG: Fix opcode handling when reading DWARF line number programs. #482
  • BUG: Fix BA3005 to use similar output as BA3003. #483
  • BUG: Fix exception System.AccessViolationException when reading DWARF string by position. #484

v1.9.0-prerelease1 NuGet Package

  • NEW: Add BA3011.EnableBindNow. #363
  • NEW: Add BA2025.EnableShadowStack. #376
  • NEW: Add BA3005.EnableStackClashProtection. #379
  • BUG: Force load PDB. #380
  • BUG: Fix BA2004 for MASM compilers. 381
  • NEW: Add BA3006.EnableNonExecutableStack. #383
  • NEW: Add BA2026.EnableAdditionalSecurityChecks. #388
  • NEW: Add BA4002.ReportDwarfCompilerData. #394
  • BUG: Fix for E_PDB_MAX error. #399
  • BRK: Removing win-x86 support. #401
  • NEW: Add baseline support. #409
  • BUG: Fix exception when the PDB is embedded. #410
  • BUG: Fix import/export config using JSON file. #349
  • NEW: Add compiler report rule BA4001, which is disabled by default. #350
  • NEW: Add support to specific rule documentation in HelpUri. #348

v1.7.5-prerelease1 NuGet Package

  • BUG: Fix import/export config using JSON file. #349
  • NEW: Add compiler report rule BA4001, which is disabled by default. #350
  • NEW: Add support to specific rule documentation in HelpUri. #348
  • BRK: Adding --verbose as obsolete which translate to --level and --kind. #347
  • NEW: Update SARIF version to latest (using submodule). #325
  • NEW: Add BA2004.EnableSecureSourceCodeHashing. #320
  • BRK: Replace --verbose for --level and --kind. #339
  • BUG: Fix net5 handling. #345
  • BRK: Revert dotnet-tool. #316
  • BRK: Change from self-contained to dotnettool. #306
  • BUG FIX: Fix issue when analyze SingleFilePublish files. #311
  • DEP: Update to .NET Core 3.1. Changes tool paths in NuGet package.
  • NEW: Add --trace argument to enable specialized trace of execution behavior, such as PdbLoad.
  • NEW: Update SARIF version to 2.3.8
  • BRK: ** Default output is sarif v2
  • DOC: Correct reporting to reflect that /guard:cf is case-sensitive for the compiler. Contributed by @JacksonText
  • BUG: Fix ExceptionRaisedInSkimmerCanAnalyze null dereference exception for binaries without PDBs. #265
  • NEW: Update to final SARIF v2 (version 2.1.16). This enables results caching when passing --hashes on the command-line, a significant performance improvement when recursively analyzing directories with multiple copies of scan targets.
  • BUG FIX: Fix typo in BA2021.DoNotMarkWritableSectionsAsExecutable output.
  • PERFORMANCE: Eliminate PDB loading for all non-mixed-mode for managed assemblies, including IL Library (ahead of time compiled) binaries.
  • FALSE NEGATIVE FIX: Verify that a PDB placed alongside a binary actually matches the binary under analysis
  • NEW: Provide --local-symbol-directories argument to specify additional (local, non-symbol-server) PDB look-up locations
  • FPR: Skip PDB-driven analysis for the generated .NET core native bootstrap exe (which is not user-controllable code).
  • BUG: Drop Spectre analysis to warning
  • BUG: Fix Linux NuGet packaging to include BinSkim executable missing in 1.6.0-beta.1
  • NRK: Update to pre-release SARIF v2 output format (sarif-2.0.0-csd.2.beta.2019-01-24)
  • NEW: Provide for SARIF v1 or v2 file format export. Default is v1 until SARIF v2 is final.
  • BRK: ** Output is now Sarif V2-CSD1 compliant rather than Sarif V1
  • BUG: Fix Linux NuGet packaging to include BinSkim executable missing in 1.5.0.
  • Cross platform (Windows/Linux) support.
  • BRK: New Results: Identify and fire configuration errors when located PDBs are stripped
  • BRK: ** New Results: False negative removed for BA2015.EnableHighEntropyVA: Correctly flags an AnyCPU binary with HighEntropyVA and Prefer32Bit disabled
  • BRK: ** New Rules: New rules for ELF Binaries (BA3001.EnablePieOnExecutables, BA3002.DoNotMarkStackAsExecutable, BA3003.EnableStackProtector, BA3010.EnableReadOnlyRelocations, and BA3030.UseCheckedFunctionsWithGcc)
  • BRK: ** New Rules: Provide preliminary BA2024.EnableSpectreMitigations analysis
  • Correct signing check pass message to reflect actual analysis
  • Sign all BinSkim binaries
  • Do not fire BA2001.LoadImageAboveFourGigabyteAddressId for ILOnly 64-bit assemblies
  • Fix rich return code return functionality when core command-line parsing breaks
  • Export configuration knob to adjust EnableControlFlowGuard linker version check
  • Loosen SignSecurely rule to prevent errors on WinTrustVerify errors CERT_E_UNTRUSTEDROOT and CERT_E_CHAINING
  • Add 'rich' return code (a bitfield value of observed runtime conditions) via SARIF SDK --rich-return-code arg
  • Add response file support
  • Add __vcrt_trace_logging_provider::_TlgWrite exception to BA2014.DoNotDisableStackProtectionForFunctions
  • Fix rule crash on firing 'not applicable' message for control flow guard check
  • Add BinScope readable rule name information to SARIF log file output
  • Fix reporting errors when flagging binaries signed with weak cryptogrphic algorithms
  • Drop required compiler tools version to 17.0.65501.17013
  • Make minimum required linker configurable for EnableControlFlowGuard check
  • Fix false positives of BA2008:EnableControlFlowGuard firing on x86 kernel mode binaries
  • Eliminate high-entropy VA analysis for binaries with no entry points
  • Update various checks to eliminate noise analyzing boot binaries
  • Update Sarif dependency to 1.5.40
  • --config argument is now optional
  • Fix false positives of BA2008:EnableControlFlowGuard firing against MC++ mixed mode binaries
  • Fix false positives of BA2008:EnableControlFlowGuard firing against resource-only dll that include exported API forwarders (but no code)
  • XML-based configuration now functional
  • Eliminated compiler tool version false positives for Intel compiler and MASM
  • Update Sarif dependency to 1.5.38
  • More incidental reporting improvements
  • Update Sarif dependency to 1.5.36
  • Improves output in error cases
  • Fix false positives in 'sign securely' analysis for multi-signed binaries
  • Eliminate noise in stack protection analysis against .NET native binaries
  • Update Sarif dependency to 1.5.28
  • Force load PDBs in some circumstances where they have failed to do so
  • Update Sarif dependency to Sarif SDK/Driver 1.5.22-beta (Sarif JSON format 1.0.0)