AgilaNatarajan
commented
4 months ago Any updates on this issue?
Open AgilaNatarajan opened 4 months ago
AgilaNatarajan
commented
4 months ago Any updates on this issue?
AgilaNatarajan
commented
3 months ago Please advice how to proceed with this
AllDwarf
commented
3 months ago Hey Agila,
can you please try to run it with the newest BinSkim version 4.3.1? It's not release to the feed, but you can build it and use it locally. If the Error remains let me know and we can investigate it further.
Marek
AgilaNatarajan
commented
3 months ago Hi Marek,
I have tried downloading 4.3.1 Binskim version. But unfortunately while unzipping the source code, our domain security tool have identified some malicious file and it stops unzipping it.
Hence i could not build the latest version and try it. Please suggest me any other path forward.
Thanks in advance Agila.N
We have performed the static code analysis for the unmanaged c++ dll. It reported the below error Error BA2004 'ts2coreD.dll' is a native binary that directly compiles and links one or more object files which were hashed using an insecure checksum algorithm (MD5). MD5 is subject to collision attacks and its use can compromise supply chain integrity. Pass '/ZH:SHA_256' on the cl.exe command-line to enable secure source code hashing. The following modules are out of policy: Microsoft (R) Optimizing Compiler : cxx : 19.38.33136.0 : [directly linked] (TagTableVw.obj).
Hence We have updated the '/ZH:SHA_256' Additional options in Compiler settings for the source dll and also libraries it is referring to. But still Binskim reports same error. Could you please let me know what went wrong. Version used - microsoft.codeanalysis.binskim.1.9.5 Visual studio - 2022 Enterprise