search

microsoft / binskim

A binary static analysis tool that provides security and correctness results for Windows Portable Executable and *nix ELF binary formats
Other
766 stars 156 forks source link

using baseline to output suppression #448

Closed t-lipingma closed 3 years ago

t-lipingma commented 3 years ago

I want to use baseline to output suppressions. (generate SARIF file and then manually enter justifications in it) , pass it as an input to BinSkim and write suppressions to sarif.

So,first(generate baseline.sarif):

.\BinSkim.exe analyze C:\MLP\projects\ConsoleApplication1\Debug\ConsoleApplication1.exe --output C:\MLP\projects\result\baseline.sarif

Then,manually enter the suppression to the first BA2004 for example. baseline.sarif's result are :

"results": [
        {
          "ruleId": "BA2004",
          "ruleIndex": 0,
          "message": {
            "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
            "arguments": [
              "ConsoleApplication1.exe",
              "Microsoft (R) Optimizing Compiler : c : 19.29.30034.2 : MSVCRTD.lib (chandler4gs.obj,cpu_disp.obj,debugger_jmc.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,secchk.obj,ucrt_detection.obj)\r\nMicrosoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : MSVCRTD.lib (argv_mode.obj,chandler4_noexcept.obj,commit_mode.obj,default_local_stdio_options.obj,default_precision.obj,denormal_control.obj,env_mode.obj,error.obj,exe_main.obj,file_mode.obj,init.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_mode.obj,pdblkup.obj,stack.obj,thread_locale.obj,tncleanup.obj,ucrt_stubs.obj,userapi.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj)\r\n"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          **"suppressions": [
            {
              "kind": "external",
              "justification": "just for test"
            }
          ]**
        },
        {
          "ruleId": "BA2004",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "id": "Error_NativeWithInsecureDirectCompilands",
            "arguments": [
              "ConsoleApplication1.exe",
              "Microsoft (R) Optimizing Compiler : cxx : 19.29.30038.1 : [directly linked] (ConsoleApplication1.obj)\r\n"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ]
        },
        {
          "ruleId": "BA2008",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "id": "Error",
            "arguments": [
              "ConsoleApplication1.exe"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ]
        },
        {
          "ruleId": "BA2018",
          "ruleIndex": 2,
          "level": "error",
          "message": {
            "id": "Error",
            "arguments": [
              "ConsoleApplication1.exe",
              "has an empty SE handler table in the load configuration table"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ]
        },
        {
          "ruleId": "BA2021",
          "ruleIndex": 3,
          "level": "error",
          "message": {
            "id": "Error",
            "arguments": [
              "ConsoleApplication1.exe",
              ".textbss"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ]
        },
        {
          "ruleId": "BA2024",
          "ruleIndex": 4,
          "message": {
            "id": "Warning",
            "arguments": [
              "ConsoleApplication1.exe",
              "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\nConsoleApplication1.obj,cxx,19.29.30038.1 (ConsoleApplication1.obj)\r\nMSVCRTD.lib,c,19.29.30034.2 (chandler4gs.obj,cpu_disp.obj,debugger_jmc.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,secchk.obj,ucrt_detection.obj)\r\nMSVCRTD.lib,cxx,19.29.30034.2 (argv_mode.obj,chandler4_noexcept.obj,commit_mode.obj,default_local_stdio_options.obj,default_precision.obj,denormal_control.obj,env_mode.obj,error.obj,exe_main.obj,file_mode.obj,init.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_mode.obj,pdblkup.obj,stack.obj,thread_locale.obj,tncleanup.obj,ucrt_stubs.obj,userapi.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj)\r\n\r\n"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ]
        },
        {
          "ruleId": "BA2025",
          "ruleIndex": 5,
          "message": {
            "id": "Warning",
            "arguments": [
              "ConsoleApplication1.exe"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ]
        }
      ]

Last,pass baseline.sarif as an input to BinSkim and write suppressions to sarif: .\BinSkim.exe analyze C:\MLP\projects\ConsoleApplication1\Debug\ConsoleApplication1.exe --baseline C:\MLP\projects\result\baseline.sarif --output C:\MLP\projects\result\mylog.sarif

However, the mylog.sarif's result don't include suppressions info:

"results": [
        {
          "ruleId": "BA2004",
          "ruleIndex": 0,
          "message": {
            "id": "Warning_NativeWithInsecureStaticLibraryCompilands",
            "arguments": [
              "ConsoleApplication1.exe",
              "Microsoft (R) Optimizing Compiler : c : 19.29.30034.2 : MSVCRTD.lib (chandler4gs.obj,cpu_disp.obj,debugger_jmc.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,secchk.obj,ucrt_detection.obj)\r\nMicrosoft (R) Optimizing Compiler : cxx : 19.29.30034.2 : MSVCRTD.lib (argv_mode.obj,chandler4_noexcept.obj,commit_mode.obj,default_local_stdio_options.obj,default_precision.obj,denormal_control.obj,env_mode.obj,error.obj,exe_main.obj,file_mode.obj,init.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_mode.obj,pdblkup.obj,stack.obj,thread_locale.obj,tncleanup.obj,ucrt_stubs.obj,userapi.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj)\r\n"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "df9a7258-da4d-4b62-a04d-7470fde6579e",
          "correlationGuid": "df9a7258-da4d-4b62-a04d-7470fde6579e",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        },
        {
          "ruleId": "BA2004",
          "ruleIndex": 0,
          "level": "error",
          "message": {
            "id": "Error_NativeWithInsecureDirectCompilands",
            "arguments": [
              "ConsoleApplication1.exe",
              "Microsoft (R) Optimizing Compiler : cxx : 19.29.30038.1 : [directly linked] (ConsoleApplication1.obj)\r\n"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "1561c971-d7a6-44cb-a0ec-1852198bb752",
          "correlationGuid": "1561c971-d7a6-44cb-a0ec-1852198bb752",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        },
        {
          "ruleId": "BA2008",
          "ruleIndex": 1,
          "level": "error",
          "message": {
            "id": "Error",
            "arguments": [
              "ConsoleApplication1.exe"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "99a0c33b-3fd5-4ce4-8eeb-f38a93b51858",
          "correlationGuid": "99a0c33b-3fd5-4ce4-8eeb-f38a93b51858",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        },
        {
          "ruleId": "BA2018",
          "ruleIndex": 2,
          "level": "error",
          "message": {
            "id": "Error",
            "arguments": [
              "ConsoleApplication1.exe",
              "has an empty SE handler table in the load configuration table"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "428a4e0d-9fc2-4074-b647-f1d203ba3d91",
          "correlationGuid": "428a4e0d-9fc2-4074-b647-f1d203ba3d91",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        },
        {
          "ruleId": "BA2021",
          "ruleIndex": 3,
          "level": "error",
          "message": {
            "id": "Error",
            "arguments": [
              "ConsoleApplication1.exe",
              ".textbss"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "1dc985e9-d691-4aef-8db8-905717804de8",
          "correlationGuid": "1dc985e9-d691-4aef-8db8-905717804de8",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        },
        {
          "ruleId": "BA2024",
          "ruleIndex": 4,
          "message": {
            "id": "Warning",
            "arguments": [
              "ConsoleApplication1.exe",
              "The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:\r\nConsoleApplication1.obj,cxx,19.29.30038.1 (ConsoleApplication1.obj)\r\nMSVCRTD.lib,c,19.29.30034.2 (chandler4gs.obj,cpu_disp.obj,debugger_jmc.obj,dyn_tls_dtor.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,matherr_detection.obj,secchk.obj,ucrt_detection.obj)\r\nMSVCRTD.lib,cxx,19.29.30034.2 (argv_mode.obj,chandler4_noexcept.obj,commit_mode.obj,default_local_stdio_options.obj,default_precision.obj,denormal_control.obj,env_mode.obj,error.obj,exe_main.obj,file_mode.obj,init.obj,initializers.obj,initsect.obj,invalid_parameter_handler.obj,matherr.obj,new_mode.obj,pdblkup.obj,stack.obj,thread_locale.obj,tncleanup.obj,ucrt_stubs.obj,userapi.obj,utility.obj,utility_desktop.obj,x86_exception_filter.obj)\r\n\r\n"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "cc165f5a-5ea8-4596-8bba-0220aa3f1227",
          "correlationGuid": "cc165f5a-5ea8-4596-8bba-0220aa3f1227",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        },
        {
          "ruleId": "BA2025",
          "ruleIndex": 5,
          "message": {
            "id": "Warning",
            "arguments": [
              "ConsoleApplication1.exe"
            ]
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///C:/MLP/projects/ConsoleApplication1/Debug/ConsoleApplication1.exe",
                  "index": 0
                }
              }
            }
          ],
          "guid": "0f2a6c8f-ea67-480a-baab-1177811cfe57",
          "correlationGuid": "0f2a6c8f-ea67-480a-baab-1177811cfe57",
          "baselineState": "unchanged",
          "provenance": {
            "firstDetectionTimeUtc": "2021-08-09T14:21:03.798Z"
          },
          "properties": {
            "ResultMatching": {}
          }
        }
      ]

ConsoleApplication1.cpp :

int main()
{
    int a;
    int b;
}

Is this a bug or am I using it wrong? Thanks!

eddynaka commented 3 years ago

Hi @t-lipingma , the idea of the baseline is to generate the difference between run1 vs run2. It's different from a suppression mechanism.

So, if you see the sarif that you generated, you will see one property called "baselineState". That's going to show results that are new, unchanged, updated, and absent.

With that, we can observe that the new run didn't generate any new result, so, all results will have baselineState = unchanged.

t-lipingma commented 3 years ago

Ok, I see. So now how can we consume suppressions from sarif files? Or it's undergoing?

eddynaka commented 3 years ago

Hi @t-lipingma , with the baseline, we have the same idea of the suppression. It will always generate the result, but instead of having the suppression properties, it will have the baselineState. With that, you will be able to filter out things that aren't new, for example, baselineState = unchanged => it was in the baseline and in your current run.