eddynaka
commented
3 years ago @yongyan-gh @shaopeng-gh, let's check if we can enable some argument to export a SARIF file
Closed gfs closed 2 years ago
eddynaka
commented
3 years ago @yongyan-gh @shaopeng-gh, let's check if we can enable some argument to export a SARIF file
eddynaka
commented
3 years ago 
gfs
commented
3 years ago 
shaopeng-gh
commented
3 years ago I will take a look at this one.
shaopeng-gh
commented
3 years ago @gfs Hi I cloned the source code and took a look, I see the program has a Export to Json function. which is serialization of a Dictionary<string,object>, and the object is mostly from a List of CompareResult
Is the task to support export to .Sarif file, in addition to Json ? like user provide a switch --exportformat=Json/Sarif and we go to different code path to write file with the format.
If so, one question I have is how do we map each field in Json into each field in Sarif format file. Do you some example Json files I can get some idea?
(btw I will need to add ref to Sarif SDK to generate Sarif file)
gfs
commented
3 years ago On Wed, Oct 6, 2021 at 12:44 AM, Shaopeng @.***> wrote:
@.***(https://github.com/gfs) Hi I cloned the source code and took a look, I see the program has a Export to Json function. which is serialization of a Dictionary<string,object>, and the object is mostly from "List>"
Is the task to support export to .Sarif file, in addition to Json ? like user provide a switch --exportformat=Json/Sarif and we go to different code path to write file with the format.
that’s the idea.
If so, one question I have is how do we map each field in Json into each field in Sarif format file. Do you some example Json files I can get some idea?
I can generate one to send you today - but it’s just a serialization of a structure holding CompareResult objects, which each contain one or more CollectObjects.
I assume the vast majority of the fields from a compare result are not going to have a peer in the default Sarif and most of the info will go in the extra properties.
(btw I will need to add ref to Sarif SDK to generate Sarif file)
yep that’s fine
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or unsubscribe.
shaopeng-gh
commented
3 years ago @gfs extra properties --- can you elaborate more, do you have a sample of Sarif that is using similar way and we can use the same properties
yes if you can send me a example json today that would be great. With that I will be able to take a look and to check with you and make sure we are in the same page which node in json map to which node in Sarif. Thanks! like: Json fieldA -> name Json fielbB -> description
shaopeng-gh
commented
3 years ago @gfs I guess there will be much things in detail need to settle, I see the program have more than 1 type of Collector, and a extra type of real type monitor. will need to see where these info will fit in to the Sarif. If your to be provided json can include nodes of them that would be great for us to discuss base on.
gfs
commented
3 years ago @shaopeng-gh
I have documentation for an example of the output schema here on the wiki: https://github.com/microsoft/AttackSurfaceAnalyzer/wiki/JSON-Schema
extra properties
AttackSurfaceAnalyzer scans many aspects of a system for changes. This does include things like Files (where its a closer match to sarif properties) but it might also include things like a Registry Key or a information about a change in the TPM. I'm not very familiar with Sarif but I believe most of the fields for most of our objects are going to be extra properties that are added to the artifact (I believe) properties bag.
which node in json map to which node in Sarif
The following is taken from the example in the link above.
"Analysis": "WARNING", The Analysis field of each result is an ANALYSIS_RESULT_TYPE which should be mapped to the level in Sarif. The value of this field should also be carried over in the custom properties. I propose mapping it as follows.
NONE => note
VERBOSE => note
DEBUG => note
INFORMATION => note
WARNING => warning
ERROR => error
FATAL => error "Base": {
"Characteristics": [
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NO_BIND",
"IMAGE_DLLCHARACTERISTICS_APPCONTAINER",
"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"ContentHash": "lx7gx6aRZS3xT6yEwhlefSXd7ODFi9ngVjfA+xDaJ6/GmR07Jp442QHetHzk4l9oXmRwFFkfwybHvSsCDSAG7g==",
"Created": "2021-09-28T23:07:07.4341641Z",
"Group": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Identity": ".\\devskim.exe",
"IsExecutable": true,
"LastModified": "2021-10-06T18:26:59.7863559Z",
"Owner": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Path": ".\\devskim.exe",
"Permissions": {
"NT AUTHORITY\\SYSTEM": "FullControl",
"BUILTIN\\Administrators": "FullControl",
"S-1-12-1-1692076736-1293559039-2251920262-2914442584": "FullControl"
},
"SignatureStatus": {},
"Size": 193842,
"ResultType": "FILE"
},The Base is the object which was collected on the first run of ASA. This will be null if the result is for something which was created. In this case it is a FileSystemObject (see the ResultType field). The fields here should be carried over into the property bag for the result.
"BaseRunId": "2021-10-06T11:27:31.5382772-07:00",This is the run identifier for the first run of attack surface analyzer. This should probably be included in the arguments field of the description for the run.
"ChangeType": "MODIFIED",This field represents the type of change detected. ASA does 2 scans so things can be Created, Deleted or Modified. This should be carried over in the property bag, unless there is a good sarif equivalent.
"Compare": {
"Characteristics": [
"IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA",
"IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE",
"IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY",
"IMAGE_DLLCHARACTERISTICS_NX_COMPAT",
"IMAGE_DLLCHARACTERISTICS_NO_ISOLATION",
"IMAGE_DLLCHARACTERISTICS_NO_SEH",
"IMAGE_DLLCHARACTERISTICS_NO_BIND",
"IMAGE_DLLCHARACTERISTICS_APPCONTAINER",
"IMAGE_DLLCHARACTERISTICS_WDM_DRIVER",
"IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE"
],
"ContentHash": "elFsTNsVO6OLaLEevX4VU5pSM0mdW70CQvc9hP9l1PI3UBKnPQihkGEQ2vRU5BPDx6eO9tOLHu70S91Ce2OozA==",
"Created": "2021-09-28T23:07:07.4341641Z",
"Group": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Identity": ".\\devskim.exe",
"IsExecutable": true,
"LastModified": "2021-10-06T18:27:36.5705497Z",
"Owner": "S-1-12-1-1692076736-1293559039-2251920262-2914442584",
"Path": ".\\devskim.exe",
"Permissions": {
"NT AUTHORITY\\SYSTEM": "FullControl",
"BUILTIN\\Administrators": "FullControl",
"S-1-12-1-1692076736-1293559039-2251920262-2914442584": "FullControl"
},
"SignatureStatus": {},
"Size": 193841,
"ResultType": "FILE"
},Compare is the state of the object on the second run of AttackSurfaceAnalyzer. The fields here should be carried over into the property bag for the result.
"CompareRunId": "2021-10-06T11:27:38.4500214-07:00",This is the run identifier for the first run of attack surface analyzer.
"Diffs": [
{
"After": "elFsTNsVO6OLaLEevX4VU5pSM0mdW70CQvc9hP9l1PI3UBKnPQihkGEQ2vRU5BPDx6eO9tOLHu70S91Ce2OozA==",
"Before": "lx7gx6aRZS3xT6yEwhlefSXd7ODFi9ngVjfA+xDaJ6/GmR07Jp442QHetHzk4l9oXmRwFFkfwybHvSsCDSAG7g==",
"Field": "ContentHash"
},
{
"After": "2021-10-06T18:27:36.5705497Z",
"Before": "2021-10-06T18:26:59.7863559Z",
"Field": "LastModified"
},
{
"After": 193841,
"Before": 193842,
"Field": "Size"
}
],This is a List of differences found between the two object states (only set if the ChangeType is modified).
"Identity": ".\\devskim.exe",The Identity field will generally be the equivalent of the location in sarif. In this example it is a file location but it could be a number of things.
"ResultType": "FILE",This represents the type of object contained in the "base" and "compare" fields of the result. This field should be carried over in the property bag.
"Rules": [
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without ASLR.",
"Name": "Missing ASLR"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without DEP.",
"Name": "Missing DEP"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"LINUX",
"MACOS",
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when unsigned/incorrectly signed binaries are added.",
"Name": "Unsigned binaries"
}
]
}This is the list of rules which applied to the object. In this case it is three rules. We do not currently have Rule IDs, but that seems to be more standard in sarif so maybe they should be added as part of this. This actually is a bit more verbose than it should be so the additional information here other than name and description can safely be ignored.
gfs
commented
3 years ago @gfs I guess there will be much things in detail need to settle, I see the program have more than 1 type of Collector, and a extra type of real type monitor. will need to see where these info will fit in to the Sarif. If your to be provided json can include nodes of them that would be great for us to discuss base on.
Correct. There are ~10 different types of objects that can be in an ASA output. The API documentation has information on the fields of each object. For the vast majority of these fields I expect that we just want to throw them in the properties bag of the artifact: https://microsoft.github.io/AttackSurfaceAnalyzer/api/Microsoft.CST.AttackSurfaceAnalyzer.Objects.CollectObject.html
shaopeng-gh
commented
3 years ago @gfs thanks! A lot great info here, I will look into it :)
shaopeng-gh
commented
3 years ago Json:
{ "results": { "FILE_MODIFIED": [ { "Analysis": "DEBUG", "Base": { "Created": "2021-10-08T04:18:58.206822Z", "Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Identity": "C:\\Test\\Scan\\ToBeModified.txt", "LastModified": "2021-10-08T04:19:12.4498613Z", "Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Path": "C:\\Test\\Scan\\ToBeModified.txt", "Permissions": { "S-1-5-11": "Modify, Synchronize", "S-1-5-18": "FullControl", "S-1-5-32-544": "FullControl", "S-1-5-32-545": "ReadAndExecute, Synchronize" }, "Size": 5, "ResultType": "FILE" }, "BaseRunId": "10/7/2021 9:21:33 PM-before", "ChangeType": "MODIFIED", "Compare": { "Created": "2021-10-08T04:18:58.206822Z", "Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Identity": "C:\\Test\\Scan\\ToBeModified.txt", "LastModified": "2021-10-08T04:22:04.3198988Z", "Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Path": "C:\\Test\\Scan\\ToBeModified.txt", "Permissions": { "NT AUTHORITY\\Authenticated Users": "Modify, Synchronize", "NT AUTHORITY\\SYSTEM": "FullControl", "BUILTIN\\Administrators": "FullControl", "BUILTIN\\Users": "ReadAndExecute, Synchronize" }, "Size": 13, "ResultType": "FILE" }, "CompareRunId": "10/7/2021 9:21:33 PM-after", "Diffs": [ { "After": "2021-10-08T04:22:04.3198988Z", "Before": "2021-10-08T04:19:12.4498613Z", "Field": "LastModified" }, { "After": { "NT AUTHORITY\\Authenticated Users": "Modify, Synchronize", "NT AUTHORITY\\SYSTEM": "FullControl", "BUILTIN\\Administrators": "FullControl", "BUILTIN\\Users": "ReadAndExecute, Synchronize" }, "Field": "Permissions" }, { "Before": { "S-1-5-11": "Modify, Synchronize", "S-1-5-18": "FullControl", "S-1-5-32-544": "FullControl", "S-1-5-32-545": "ReadAndExecute, Synchronize" }, "Field": "Permissions" }, { "After": 13, "Before": 5, "Field": "Size" } ], "Identity": "C:\\Test\\Scan\\ToBeModified.txt", "ResultType": "FILE" } ], "FILE_CREATED": [ { "Analysis": "DEBUG", "BaseRunId": "10/7/2021 9:21:33 PM-before", "ChangeType": "CREATED", "Compare": { "Created": "2021-10-08T04:22:11.5727345Z", "Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Identity": "C:\\Test\\Scan\\NewlyCreated.txt", "LastModified": "2021-10-08T04:22:11.5727345Z", "Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Path": "C:\\Test\\Scan\\NewlyCreated.txt", "Permissions": { "NT AUTHORITY\\Authenticated Users": "Modify, Synchronize", "NT AUTHORITY\\SYSTEM": "FullControl", "BUILTIN\\Administrators": "FullControl", "BUILTIN\\Users": "ReadAndExecute, Synchronize" }, "Size": 0, "ResultType": "FILE" }, "CompareRunId": "10/7/2021 9:21:33 PM-after", "Identity": "C:\\Test\\Scan\\NewlyCreated.txt", "ResultType": "FILE" } ], "FILE_DELETED": [ { "Analysis": "DEBUG", "Base": { "Created": "2021-10-08T04:18:43.2799276Z", "Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Identity": "C:\\Test\\Scan\\ToBeDeleted.txt", "LastModified": "2021-10-08T04:18:43.2799276Z", "Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700", "Path": "C:\\Test\\Scan\\ToBeDeleted.txt", "Permissions": { "S-1-5-11": "Modify, Synchronize", "S-1-5-18": "FullControl", "S-1-5-32-544": "FullControl", "S-1-5-32-545": "ReadAndExecute, Synchronize" }, "Size": 0, "ResultType": "FILE" }, "BaseRunId": "10/7/2021 9:21:33 PM-before", "ChangeType": "DELETED", "CompareRunId": "10/7/2021 9:21:33 PM-after", "Identity": "C:\\Test\\Scan\\ToBeDeleted.txt", "ResultType": "FILE" } ] }, "metadata": { "compare-version": "2.4.9-alpha+18768e7dac", "compare-os": "WINDOWS", "compare-osversion": "Microsoft Windows NT 10.0.19043.0", "analyses-hash": "yXvUiHy+rkKstAubfKrepSYhf7tGW6Fmpq72cvzjHu/IFkPu1P6FEstdy15fnGvxhAyIcIzdWFTILRTZ6wy0yA==" } }
shaopeng-gh
commented
3 years ago Sarif:
{ "$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json", "version": "2.1.0", "runs": [ { "tool": { "driver": { "name": "Attack Surface Analyzer", "rules": [ { "id": "FILE_MODIFIED", "name": "FILE_MODIFIED" }, { "id": "FILE_CREATED", "name": "FILE_CREATED" }, { "id": "FILE_DELETED", "name": "FILE_DELETED" } ] } }, "results": [ { "ruleId": "FILE_MODIFIED", "level": "note", "message": { "text": "MODIFIED: C:\\Test\\Scan\\ToBeModified.txt" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/Test/Scan/ToBeModified.txt" } } } ], "properties": { "ResultType": "FILE", "ChangeType": "MODIFIED", "BaseRunId": "10/7/2021 9:21:33 PM-before", "CompareRunId": "10/7/2021 9:21:33 PM-after", "Base": {"ContentHash":null,"Created":"2021-10-08T04:18:58.206822Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan\\ToBeModified.txt","IsDirectory":null,"IsExecutable":null,"IsLink":null,"LastModified":"2021-10-08T04:19:12.4498613Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan\\ToBeModified.txt","Permissions":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":5,"SizeOnDisk":null,"Target":null,"ResultType":1}, "Compare": {"ContentHash":null,"Created":"2021-10-08T04:18:58.206822Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan\\ToBeModified.txt","IsDirectory":null,"IsExecutable":null,"IsLink":null,"LastModified":"2021-10-08T04:22:04.3198988Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan\\ToBeModified.txt","Permissions":{"NT AUTHORITY\\Authenticated Users":"Modify, Synchronize","NT AUTHORITY\\SYSTEM":"FullControl","BUILTIN\\Administrators":"FullControl","BUILTIN\\Users":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":13,"SizeOnDisk":null,"Target":null,"ResultType":1}, "Diffs": [{"After":"2021-10-08T04:22:04.3198988Z","Before":"2021-10-08T04:19:12.4498613Z","Field":"LastModified"},{"After":{"NT AUTHORITY\\Authenticated Users":"Modify, Synchronize","NT AUTHORITY\\SYSTEM":"FullControl","BUILTIN\\Administrators":"FullControl","BUILTIN\\Users":"ReadAndExecute, Synchronize"},"Before":null,"Field":"Permissions"},{"After":null,"Before":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"Field":"Permissions"},{"After":13,"Before":5,"Field":"Size"}], "Rules": [], "AnalysesHash": "yXvUiHy+rkKstAubfKrepSYhf7tGW6Fmpq72cvzjHu/IFkPu1P6FEstdy15fnGvxhAyIcIzdWFTILRTZ6wy0yA==" } }, { "ruleId": "FILE_CREATED", "level": "note", "message": { "text": "CREATED: C:\\Test\\Scan\\NewlyCreated.txt" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/Test/Scan/NewlyCreated.txt" } } } ], "properties": { "ResultType": "FILE", "ChangeType": "CREATED", "BaseRunId": "10/7/2021 9:21:33 PM-before", "CompareRunId": "10/7/2021 9:21:33 PM-after", "Compare": {"ContentHash":null,"Created":"2021-10-08T04:22:11.5727345Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan\\NewlyCreated.txt","IsDirectory":null,"IsExecutable":null,"IsLink":null,"LastModified":"2021-10-08T04:22:11.5727345Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan\\NewlyCreated.txt","Permissions":{"NT AUTHORITY\\Authenticated Users":"Modify, Synchronize","NT AUTHORITY\\SYSTEM":"FullControl","BUILTIN\\Administrators":"FullControl","BUILTIN\\Users":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":0,"SizeOnDisk":null,"Target":null,"ResultType":1}, "Diffs": [], "Rules": [], "AnalysesHash": "yXvUiHy+rkKstAubfKrepSYhf7tGW6Fmpq72cvzjHu/IFkPu1P6FEstdy15fnGvxhAyIcIzdWFTILRTZ6wy0yA==" } }, { "ruleId": "FILE_DELETED", "level": "note", "message": { "text": "DELETED: C:\\Test\\Scan\\ToBeDeleted.txt" }, "locations": [ { "physicalLocation": { "artifactLocation": { "uri": "file:///C:/Test/Scan/ToBeDeleted.txt" } } } ], "properties": { "ResultType": "FILE", "ChangeType": "DELETED", "BaseRunId": "10/7/2021 9:21:33 PM-before", "CompareRunId": "10/7/2021 9:21:33 PM-after", "Base": {"ContentHash":null,"Created":"2021-10-08T04:18:43.2799276Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan\\ToBeDeleted.txt","IsDirectory":null,"IsExecutable":null,"IsLink":null,"LastModified":"2021-10-08T04:18:43.2799276Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan\\ToBeDeleted.txt","Permissions":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":0,"SizeOnDisk":null,"Target":null,"ResultType":1}, "Diffs": [], "Rules": [], "AnalysesHash": "yXvUiHy+rkKstAubfKrepSYhf7tGW6Fmpq72cvzjHu/IFkPu1P6FEstdy15fnGvxhAyIcIzdWFTILRTZ6wy0yA==" } } ], "columnKind": "utf16CodeUnits" } ] }
shaopeng-gh
commented
3 years ago @gfs above is I drafted some code and generate an output for both json and sarif at the same time, just for a start point to discussion, let me know your inputs. (not sure how to format in GitHub, please copy to VS to see clearly)
One issue I see is the rules are so different than the ones you have, in Sarif format there is a tool->driver->rules section and I guess it should contain the rules you have. Where can I find those? my generated json does not have any. Is it a pre-defined long list of all rules, or that I should loop through the CompareResult.Rules and dynamic generate? If the CompareResult.Rules is empty like I have, should the Sarif file be empty? Thanks!
gfs
commented
3 years ago @gfs above is I drafted some code and generate an output for both json and sarif at the same time, just for a start point to discussion, let me know your inputs.
Good start.
"FILE_CREATED" etc are not rules, that is the result type (ie this is a File which was Created). The rules which apply to each compareresult are in the Rules field.
(not sure how to format in GitHub, please copy to VS to see clearly)
Here's a guide for GitHub markdown for the future. https://guides.github.com/features/mastering-markdown/
One issue I see is the rules are so different than the ones you have, in Sarif format there is a tool->driver->rules section and I guess it should contain the rules you have. Where can I find those? my generated json does not have any.
I don't think any of the data you collected matches any rules.
If you want the full set of rules, it may make sense to modify the call to export compare results to pass in the rules - and then generate the hash as well as use the rules in sarif - instead of just the hash. See like 516 of AttackSurfaceAnalyzerClient.
If want to gather simple results that will have a rule applied you can do this:
This should trigger a rule regarding modified binaries.
Is it a pre-defined long list of all rules, or that I should loop through the CompareResult.Rules and dynamic generate?
If you want only the rules that apply you need to loop through the compare result rules. You could also do it easily with Linq.
var allRulesForResults = resultsIn.SelectMany(x => x.Value.SelectMany(y => y.Rules));
If the CompareResult.Rules is empty like I have, should the Sarif file be empty?
No. AttackSurfaceAnalyzer still collects data even if it does not match a rule, it is just marked as a lower priority finding.
Does Sarif require that each finding have an associated rule? If so, we need to decide to either add a dummy rule or just not output results with no rules associated with them.
Thanks!
shaopeng-gh
commented
3 years ago Update: thanks, I have got the rules in json, will look into generate Sarif.
gfs
commented
3 years ago I think actually you might be correct that the sarif log is in fact supposed to have all of the rules.
If you look here the rules are loaded before doing analysis and calling the export:
Then you call export here:
This is a private call so you can change the API to pass in the rules. In fact it currently takes the hash of the rules, you could just modify the function to take the rules instead of the hash and just gather the hash inside the function.
shaopeng-gh
commented
3 years ago {
"results": {
"FILE_CREATED": [
{
"Analysis": "DEBUG",
"BaseRunId": "2021-10-14T16:40:08.6642182-07:00",
"ChangeType": "CREATED",
"Compare": {
"ContentHash": "U5vuoQXdbgnk9XHXG35PFwb90oyl1iXPq63NYaMrIqpkQVU6X+ntJF7D57ZJFufpTXgPvR2zgqZu/anwz+wd2Q==",
"Created": "2021-10-14T23:41:18.3939762Z",
"Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Identity": "C:\\Test\\Scan2\\TestAddText.txt",
"LastModified": "2021-10-14T23:43:53.0879739Z",
"Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Path": "C:\\Test\\Scan2\\TestAddText.txt",
"Permissions": {
"S-1-5-11": "Modify, Synchronize",
"S-1-5-18": "FullControl",
"S-1-5-32-544": "FullControl",
"S-1-5-32-545": "ReadAndExecute, Synchronize"
},
"Size": 19,
"ResultType": "FILE"
},
"CompareRunId": "2021-10-14T16:44:27.3260573-07:00",
"Identity": "C:\\Test\\Scan2\\TestAddText.txt",
"ResultType": "FILE",
"Rules": [
{
"Name": ""
}
]
},
{
"Analysis": "WARNING",
"BaseRunId": "2021-10-14T16:40:08.6642182-07:00",
"ChangeType": "CREATED",
"Compare": {
"ContentHash": "3ptaDfkOhjUOM6QE2HoSCAasWmp9TR77AZVXRHniF8tWDXj1YT0rrjcxQAQmpOnxh31uVxfk0hqPyBbPWddeyA==",
"Created": "2021-10-14T23:40:20.957942Z",
"Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Identity": "C:\\Test\\Scan2\\TestAddExe.exe",
"IsExecutable": true,
"LastModified": "2021-10-13T03:05:24.3286411Z",
"Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Path": "C:\\Test\\Scan2\\TestAddExe.exe",
"Permissions": {
"S-1-5-11": "Modify, Synchronize",
"S-1-5-18": "FullControl",
"S-1-5-32-544": "FullControl",
"S-1-5-32-545": "ReadAndExecute, Synchronize"
},
"Size": 726896,
"ResultType": "FILE"
},
"CompareRunId": "2021-10-14T16:44:27.3260573-07:00",
"Identity": "C:\\Test\\Scan2\\TestAddExe.exe",
"ResultType": "FILE",
"Rules": [
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without DEP.",
"Name": "Missing DEP"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without ASLR.",
"Name": "Missing ASLR"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"LINUX",
"MACOS",
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when unsigned/incorrectly signed binaries are added.",
"Name": "Unsigned binaries"
}
]
}
],
"FILE_MODIFIED": [
{
"Analysis": "WARNING",
"Base": {
"ContentHash": "7QGAoQeCLD64FeGxlSoeW5eHcACmyBrT1HIv+YOGVi2Of6c88DR6+Uk1O2zemHCGXAeJrtc+COi8yqHrnpX8Zg==",
"Created": "2021-10-14T23:36:58.0340629Z",
"Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Identity": "C:\\Test\\Scan2\\TestModifyExe.exe",
"IsExecutable": true,
"LastModified": "2021-10-13T03:05:24.3286411Z",
"Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Path": "C:\\Test\\Scan2\\TestModifyExe.exe",
"Permissions": {
"S-1-5-11": "Modify, Synchronize",
"S-1-5-18": "FullControl",
"S-1-5-32-544": "FullControl",
"S-1-5-32-545": "ReadAndExecute, Synchronize"
},
"Size": 726896,
"ResultType": "FILE"
},
"BaseRunId": "2021-10-14T16:40:08.6642182-07:00",
"ChangeType": "MODIFIED",
"Compare": {
"ContentHash": "Qpr6h4sgWi9HvNaKn1kWmznUifwU+8Uw6RjczVpkzx/LlGSyJgEhQ9pkMe6sX3wo9gwLmZicOIelU2b9NncLiw==",
"Created": "2021-10-14T23:36:58.0340629Z",
"Group": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Identity": "C:\\Test\\Scan2\\TestModifyExe.exe",
"IsExecutable": true,
"LastModified": "2021-10-14T23:41:11.6798321Z",
"Owner": "S-1-12-1-1613650695-1152925323-3004084401-3676713700",
"Path": "C:\\Test\\Scan2\\TestModifyExe.exe",
"Permissions": {
"S-1-5-11": "Modify, Synchronize",
"S-1-5-18": "FullControl",
"S-1-5-32-544": "FullControl",
"S-1-5-32-545": "ReadAndExecute, Synchronize"
},
"SignatureStatus": {},
"Size": 343480,
"ResultType": "FILE"
},
"CompareRunId": "2021-10-14T16:44:27.3260573-07:00",
"Diffs": [
{
"After": "Qpr6h4sgWi9HvNaKn1kWmznUifwU+8Uw6RjczVpkzx/LlGSyJgEhQ9pkMe6sX3wo9gwLmZicOIelU2b9NncLiw==",
"Before": "7QGAoQeCLD64FeGxlSoeW5eHcACmyBrT1HIv+YOGVi2Of6c88DR6+Uk1O2zemHCGXAeJrtc+COi8yqHrnpX8Zg==",
"Field": "ContentHash"
},
{
"After": "2021-10-14T23:41:11.6798321Z",
"Before": "2021-10-13T03:05:24.3286411Z",
"Field": "LastModified"
},
{
"After": {},
"Field": "SignatureStatus"
},
{
"After": 343480,
"Before": 726896,
"Field": "Size"
}
],
"Identity": "C:\\Test\\Scan2\\TestModifyExe.exe",
"ResultType": "FILE",
"Rules": [
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"LINUX",
"MACOS",
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when unsigned/incorrectly signed binaries are added.",
"Name": "Unsigned binaries"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without DEP.",
"Name": "Missing DEP"
},
{
"ChangeTypes": [
"CREATED",
"MODIFIED"
],
"Flag": "WARNING",
"Platforms": [
"WINDOWS"
],
"ResultType": "FILE",
"Description": "Flag when executables are created without ASLR.",
"Name": "Missing ASLR"
}
]
}
]
},
"metadata": {
"compare-version": "2.4.9-alpha+18768e7dac",
"compare-os": "WINDOWS",
"compare-osversion": "Microsoft Windows NT 10.0.19043.0",
"analyses-hash": "yXvUiHy+rkKstAubfKrepSYhf7tGW6Fmpq72cvzjHu/IFkPu1P6FEstdy15fnGvxhAyIcIzdWFTILRTZ6wy0yA=="
}
}Sarif:
{
"$schema": "https://schemastore.azurewebsites.net/schemas/json/sarif-2.1.0-rtm.5.json",
"version": "2.1.0",
"runs": [
{
"tool": {
"driver": {
"name": "Attack Surface Analyzer",
"organization": "Microsoft",
"version": "2.4.9-alpha+18768e7dac",
"informationUri": "https://github.com/microsoft/AttackSurfaceAnalyzer/",
"rules": [
{
"id": "Privileged ports",
"fullDescription": {
"text": "Flag when privileged ports are opened."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "PORT"
}
},
{
"id": "Privileged users",
"fullDescription": {
"text": "Flag when privileged users are modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "USER"
}
},
{
"id": "Hidden users",
"fullDescription": {
"text": "Flag when hidden user accounts are modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "USER"
}
},
{
"id": "Unsigned binaries",
"fullDescription": {
"text": "Flag when unsigned/incorrectly signed binaries are added."
},
"properties": {
"ChangeTypes": "CREATED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "SetUid",
"fullDescription": {
"text": "Flag UID is set on a file."
},
"properties": {
"ChangeTypes": "CREATED,MODIFIED",
"Platforms": "LINUX,MACOS",
"ResultType": "FILE"
}
},
{
"id": "SetGid",
"fullDescription": {
"text": "Flag GID is set on a file."
},
"properties": {
"ChangeTypes": "CREATED,MODIFIED",
"Platforms": "LINUX,MACOS",
"ResultType": "FILE"
}
},
{
"id": "Missing ASLR",
"fullDescription": {
"text": "Flag when executables are created without ASLR."
},
"properties": {
"ChangeTypes": "CREATED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Missing DEP",
"fullDescription": {
"text": "Flag when executables are created without DEP."
},
"properties": {
"ChangeTypes": "CREATED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Missing Signed Enforcement",
"fullDescription": {
"text": "Flag when executables are signed binaries are created without Force Integrity Flag."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Certificates",
"fullDescription": {
"text": "Flag when certificates are placed on disk."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "UPNP Ports",
"fullDescription": {
"text": "Universal Plug n' Play."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "PORT"
}
},
{
"id": "Keystore Files",
"fullDescription": {
"text": "Java keystore files contain encryption keys and certificates."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Firewall Settings Modified",
"fullDescription": {
"text": "Flag when OS X firewall settings are modified."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "MACOS",
"ResultType": "FILE"
}
},
{
"id": "COM Objects Modified",
"fullDescription": {
"text": "Flags when a COM Object has been Added, Removed or Modified."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
},
{
"id": "Weak Permissions on UID Binaries",
"fullDescription": {
"text": "Flags if a binary is Executable by everyone but has SETUID."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS",
"ResultType": "FILE"
}
},
{
"id": "Weak Permissions on GID Binaries",
"fullDescription": {
"text": "Flags if a binary is Executable by everyone but has SETGID."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS",
"ResultType": "FILE"
}
},
{
"id": "SIP Violation",
"fullDescription": {
"text": "Flags if System Integrity Protection prevented an action."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "MACOS",
"ResultType": "LOG"
}
},
{
"id": "Signatory Change",
"fullDescription": {
"text": "Flag when the signatory of an executable changes."
},
"properties": {
"ChangeTypes": "MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Modified Items in Program Files",
"fullDescription": {
"text": "Flag when the a file is modified in Program files."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Modified Items in System Files",
"fullDescription": {
"text": "Flag when the a file is modified in System files."
},
"properties": {
"ChangeTypes": "MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Frequently attacked binaries",
"fullDescription": {
"text": "List from GTFOBINS."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "LINUX,MACOS",
"ResultType": "FILE"
}
},
{
"id": "Modified Services",
"fullDescription": {
"text": "Flag when a startup item is modified."
},
"properties": {
"ChangeTypes": "MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "SERVICE"
}
},
{
"id": "Modified Hosts File",
"fullDescription": {
"text": "Flag when the hosts file is modified."
},
"properties": {
"ChangeTypes": "MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Signed File was modified",
"fullDescription": {
"text": "A signed file was modified."
},
"properties": {
"ChangeTypes": "MODIFIED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Files Frequently Modified by Windows",
"fullDescription": {
"text": "These files are frequently modified by the system itself."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Registry Keys Frequently Modified by Windows",
"fullDescription": {
"text": "These registry keys are Frequently modified by the system itself."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
},
{
"id": "Files Frequently Modified by Macos",
"fullDescription": {
"text": "These files are Frequently modified by the system itself."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "MACOS",
"ResultType": "FILE"
}
},
{
"id": "LOLBAS List",
"fullDescription": {
"text": "This is the LOLBAS items which are not included in the other system file rules."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "Expired Certificates",
"fullDescription": {
"text": "These Certificates are expired."
},
"properties": {
"ChangeTypes": "MODIFIED,CREATED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "CERTIFICATE"
}
},
{
"id": "Binaries with expired signatures",
"fullDescription": {
"text": "These binaries have expired signatures."
},
"properties": {
"ChangeTypes": "MODIFIED,CREATED",
"Platforms": "LINUX,MACOS,WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "TPM Keys",
"fullDescription": {
"text": "These TPM Keys have been changed."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "FILE"
}
},
{
"id": "TPM Auth Values Changed",
"fullDescription": {
"text": "These TPM Auth Values have been changed in the registry."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
},
{
"id": "TPM Endorsement Auth Value",
"fullDescription": {
"text": "The TPM Endorsement Auth was changed."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
},
{
"id": "Use Null Derived Owner Auth Changed",
"fullDescription": {
"text": "The UseNullDerivedOwnerAuth setting was changed."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
},
{
"id": "OS Managed Auth Level Changed",
"fullDescription": {
"text": "The TPM OS Managed Auth Level was Changed."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
},
{
"id": "SHA Root of Trust Modified",
"fullDescription": {
"text": "The systems root of trust has been modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS,LINUX",
"ResultType": "TPM"
}
},
{
"id": "SHA256 Root of Trust Modified",
"fullDescription": {
"text": "The systems root of trust has been modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS,LINUX",
"ResultType": "TPM"
}
},
{
"id": "SHA384 Root of Trust Modified",
"fullDescription": {
"text": "The systems root of trust has been modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS,LINUX",
"ResultType": "TPM"
}
},
{
"id": "SHA512 Root of Trust Modified",
"fullDescription": {
"text": "The systems root of trust has been modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS,LINUX",
"ResultType": "TPM"
}
},
{
"id": "SM3_256 Root of Trust Modified",
"fullDescription": {
"text": "The systems root of trust has been modified."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS,LINUX",
"ResultType": "TPM"
}
},
{
"id": "Group Policy Modified",
"fullDescription": {
"text": "These registry keys track group policy history and modification may indicate a change in group policy."
},
"properties": {
"ChangeTypes": "CREATED,DELETED,MODIFIED",
"Platforms": "WINDOWS",
"ResultType": "REGISTRY"
}
}
]
}
},
"artifacts": [
{
"location": {
"uri": "file:///C:/Test/Scan2/TestModifyExe.exe",
"index": 0,
"description": {
"text": "C:\\Test\\Scan2\\TestModifyExe.exe"
}
},
"properties": {
"Analysis": "WARNING",
"Base": {"ContentHash":"7QGAoQeCLD64FeGxlSoeW5eHcACmyBrT1HIv+YOGVi2Of6c88DR6+Uk1O2zemHCGXAeJrtc+COi8yqHrnpX8Zg==","Created":"2021-10-14T23:36:58.0340629Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan2\\TestModifyExe.exe","IsDirectory":null,"IsExecutable":true,"IsLink":null,"LastModified":"2021-10-13T03:05:24.3286411Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan2\\TestModifyExe.exe","Permissions":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":726896,"SizeOnDisk":null,"Target":null,"ResultType":1},
"BaseRunId": "2021-10-14T16:40:08.6642182-07:00",
"ChangeType": "MODIFIED",
"Compare": {"ContentHash":"Qpr6h4sgWi9HvNaKn1kWmznUifwU+8Uw6RjczVpkzx/LlGSyJgEhQ9pkMe6sX3wo9gwLmZicOIelU2b9NncLiw==","Created":"2021-10-14T23:36:58.0340629Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan2\\TestModifyExe.exe","IsDirectory":null,"IsExecutable":true,"IsLink":null,"LastModified":"2021-10-14T23:41:11.6798321Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan2\\TestModifyExe.exe","Permissions":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":{"IsTimeValid":false,"IsAuthenticodeValid":false,"SignedHash":null,"SignerSerialNumber":null,"SigningCertificate":null},"Size":343480,"SizeOnDisk":null,"Target":null,"ResultType":1},
"CompareRunId": "2021-10-14T16:44:27.3260573-07:00",
"Diffs": [{"After":"Qpr6h4sgWi9HvNaKn1kWmznUifwU+8Uw6RjczVpkzx/LlGSyJgEhQ9pkMe6sX3wo9gwLmZicOIelU2b9NncLiw==","Before":"7QGAoQeCLD64FeGxlSoeW5eHcACmyBrT1HIv+YOGVi2Of6c88DR6+Uk1O2zemHCGXAeJrtc+COi8yqHrnpX8Zg==","Field":"ContentHash"},{"After":"2021-10-14T23:41:11.6798321Z","Before":"2021-10-13T03:05:24.3286411Z","Field":"LastModified"},{"After":{"IsTimeValid":false,"IsAuthenticodeValid":false,"SignedHash":null,"SignerSerialNumber":null,"SigningCertificate":null},"Before":null,"Field":"SignatureStatus"},{"After":343480,"Before":726896,"Field":"Size"}],
"ResultType": "FILE"
}
},
{
"location": {
"uri": "file:///C:/Test/Scan2/TestAddText.txt",
"index": 1,
"description": {
"text": "C:\\Test\\Scan2\\TestAddText.txt"
}
},
"properties": {
"Analysis": "DEBUG",
"BaseRunId": "2021-10-14T16:40:08.6642182-07:00",
"ChangeType": "CREATED",
"Compare": {"ContentHash":"U5vuoQXdbgnk9XHXG35PFwb90oyl1iXPq63NYaMrIqpkQVU6X+ntJF7D57ZJFufpTXgPvR2zgqZu/anwz+wd2Q==","Created":"2021-10-14T23:41:18.3939762Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan2\\TestAddText.txt","IsDirectory":null,"IsExecutable":null,"IsLink":null,"LastModified":"2021-10-14T23:43:53.0879739Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan2\\TestAddText.txt","Permissions":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":19,"SizeOnDisk":null,"Target":null,"ResultType":1},
"CompareRunId": "2021-10-14T16:44:27.3260573-07:00",
"ResultType": "FILE"
}
},
{
"location": {
"uri": "file:///C:/Test/Scan2/TestAddExe.exe",
"index": 2,
"description": {
"text": "C:\\Test\\Scan2\\TestAddExe.exe"
}
},
"properties": {
"Analysis": "WARNING",
"BaseRunId": "2021-10-14T16:40:08.6642182-07:00",
"ChangeType": "CREATED",
"Compare": {"ContentHash":"3ptaDfkOhjUOM6QE2HoSCAasWmp9TR77AZVXRHniF8tWDXj1YT0rrjcxQAQmpOnxh31uVxfk0hqPyBbPWddeyA==","Created":"2021-10-14T23:40:20.957942Z","FileType":null,"Group":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Identity":"C:\\Test\\Scan2\\TestAddExe.exe","IsDirectory":null,"IsExecutable":true,"IsLink":null,"LastModified":"2021-10-13T03:05:24.3286411Z","MacSignatureStatus":null,"Owner":"S-1-12-1-1613650695-1152925323-3004084401-3676713700","Path":"C:\\Test\\Scan2\\TestAddExe.exe","Permissions":{"S-1-5-11":"Modify, Synchronize","S-1-5-18":"FullControl","S-1-5-32-544":"FullControl","S-1-5-32-545":"ReadAndExecute, Synchronize"},"PermissionsString":null,"SetGid":null,"SetUid":null,"SignatureStatus":null,"Size":726896,"SizeOnDisk":null,"Target":null,"ResultType":1},
"CompareRunId": "2021-10-14T16:44:27.3260573-07:00",
"ResultType": "FILE"
}
}
],
"results": [
{
"ruleId": "Missing ASLR",
"message": {
"text": "Missing ASLR: C:\\Test\\Scan2\\TestModifyExe.exe (MODIFIED)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0
}
}
}
]
},
{
"ruleId": "Missing DEP",
"message": {
"text": "Missing DEP: C:\\Test\\Scan2\\TestModifyExe.exe (MODIFIED)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0
}
}
}
]
},
{
"ruleId": "Unsigned binaries",
"message": {
"text": "Unsigned binaries: C:\\Test\\Scan2\\TestModifyExe.exe (MODIFIED)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 0
}
}
}
]
},
{
"ruleId": "Missing DEP",
"message": {
"text": "Missing DEP: C:\\Test\\Scan2\\TestAddExe.exe (CREATED)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 2
}
}
}
]
},
{
"ruleId": "Missing ASLR",
"message": {
"text": "Missing ASLR: C:\\Test\\Scan2\\TestAddExe.exe (CREATED)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 2
}
}
}
]
},
{
"ruleId": "Unsigned binaries",
"message": {
"text": "Unsigned binaries: C:\\Test\\Scan2\\TestAddExe.exe (CREATED)"
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"index": 2
}
}
}
]
}
],
"columnKind": "utf16CodeUnits",
"properties": {
"compare-os": "WINDOWS",
"compare-osversion": "Microsoft Windows NT 10.0.19043.0",
"analyses-hash": "yXvUiHy+rkKstAubfKrepSYhf7tGW6Fmpq72cvzjHu/IFkPu1P6FEstdy15fnGvxhAyIcIzdWFTILRTZ6wy0yA=="
}
}
]
}@gfs
above is a new version of Json and Sarif
Let me know your input, thanks.
shaopeng-gh
commented
2 years ago @gfs update: I have updated above Sarif, please review.
gfs
commented
2 years ago @gfs
above is a new version of Json and Sarif
- I used the way you suggested for rules
- the case above is, create a new exe file, modify a exe file, and add a text file. the add a text file will not have any rules, the create and modify exe file should re-use same rule defined.
This sounds correct.
Let me know your input, thanks.
gfs
commented
2 years ago @gfs update: I have updated above Sarif, please review. 3. everything should be in artifacts node, and if it break/match a rule, it will have addition data in the results node saying which rule it breaks. if it break more than 1 rule, there will be more than 1 result node,
Okayu I think this looks fine.
in the example the exe breaks both Unsigned and missing DEP. Sarif does not support result node without matching any rule, so in the example the txt file does not break any rule, so we can only find it in the artifacts node.
That is okay.
- the result->message I current write as "{rule name}: identity (changetype)", this can be anything you like, let me know.
Seems okay for now.
- the Identity field of CompareResult class in AttackSurfaceAnalyzer, is it always a valid uri path?
No. It is a unique identifier in the context of that type of object on that system. So for a File it is a URI, for a Registry Key is a registry path, for a Port it is the port number and protocol. Many collected objects will not have a standard URI associated with them. For FileSystemObject we use the Path property as the Identity https://github.com/microsoft/AttackSurfaceAnalyzer/blob/18768e7dac51e5f4c151d2186421f03ddcbf904e/Lib/Objects/FileSystemObject.cs#L50-L56
- PR: #622 9. want to add some unit test for the method I added, which file should I put it, should I put in AsaAnalyzerTests.cs ?
Please just make a new test class.
shaopeng-gh
commented
2 years ago @gfs thanks for the feedback, I have added a new test class "ExportTests.cs" for the purpose of hold tests related to export Json/Sarif. updated the PR.
gfs
commented
2 years ago Will review PR today.
gfs
commented
2 years ago This is merged.
We should add an option (perhaps the new default and a bump to 2.4) to output sarif from guided mode and when exporting results.
This needs to add a format Enum to ExportOptions to key off of, which would be set by GuidedMode and Exporting results, which the corresponding option also in the command line options and the blazor interface.