Binskim fails on native dependencies
See original GitHub issueDescribe the bug
BinSkim, Microsoft’s binary analysis security tool, encounters errors when run against a project that uses the Microsoft.Azure.Cosmos
nuget package.
It appears to fail for two separate reasons.
- When running binskim with the defaults, which uses Microsoft’s public symbol server, there are no symbols found for either
Cosmos.CRTCompat.dll
orMicrosoft.Azure.Documents.ServiceInterop.dll
. The error from BinSkim isE_PDB_NOT_FOUND
(repeated many times). It would appear that symbols aren’t being published publicly for these two files. - When adding Microsoft’s internal symbol server to binskim’s options (I am a Microsoft employee), then it find symbols for these. However,
Microsoft.Azure.Documents.ServiceInterop.dll
still fails BinSkim with errorBA2008
and warningBA2024
as follows:
C:\dev\foo\bin\Debug\netcoreapp3.1\runtimes\win-x64\native\Microsoft.Azure.Cosmos.ServiceInterop.dll: error BA2008: 'Microsoft.Azure.Cosmos.ServiceInterop.dll' does not enable the control flow guard (CFG) mitigation. To resolve this issue, pass /guard:cf on both the compiler and linker command lines. Binaries also require the /DYNAMICBASE linker option in order to enable CFG.
C:\dev\foo\bin\Debug\netcoreapp3.1\runtimes\win-x64\native\Microsoft.Azure.Cosmos.ServiceInterop.dll: warning BA2024: 'Microsoft.Azure.Cosmos.ServiceInterop.dll' was compiled with one or more modules that do not enable code generation mitigations for speculative execution side-channel attack (Spectre) vulnerabilities. Spectre attacks can compromise hardware-based isolation, allowing non-privileged users to retrieve potentially sensitive data from the CPU cache. To resolve the issue, provide the /Qspectre switch on the compiler command-line (or /d2guardspecload in cases where your compiler supports this switch and it is not possible to update to a toolset that supports /Qspectre). This warning should be addressed for code that operates on data that crosses a trust boundary and that can affect execution, such as parsing untrusted file inputs or processing query strings of a web request. The following modules are out of policy:
The following modules were compiled with a toolset that supports /Qspectre but the switch was not enabled on the command-line:
libcpmt.lib,cxx,19.15.26706.0 : nothrow.obj
LIBCMT.lib,cxx,19.15.26706.0 : argv_mode.obj,default_local_stdio_options.obj,delete_scalar.obj,delete_scalar_nothrow.obj,delete_scalar_size.obj,dll_dllmain.obj,dll_dllmain_stub.obj,ehvecctr.obj,ehvecdtr.obj,fltused.obj,gshandler.obj,gshandlereh.obj,gshandlerseh.obj,initializers.obj,initsect.obj,new_scalar.obj,new_scalar_nothrow.obj,std_type_info_static.obj,thread_safe_statics.obj,throw_bad_alloc.obj,tlssup.obj,tncleanup.obj,utility.obj,utility_desktop.obj
LIBCMT.lib,c,19.15.26706.0 : cpu_disp.obj,dyn_tls_init.obj,gs_cookie.obj,gs_report.obj,gs_support.obj,guard_support.obj,loadcfg.obj,pesect.obj,ucrt_detection.obj
libvcruntime.lib,cxx,19.15.26706.0 : ehhelpers.obj,ehstate.obj,frame.obj,initialization.obj,locks.obj,per_thread_data.obj,purevirt.obj,purevirt_data.obj,riscchandler.obj,risctrnsctrl.obj,rtti.obj,std_exception.obj,std_type_info.obj,throw.obj,undname.obj,winapi_downlevel.obj
libvcruntime.lib,c,19.15.26706.0 : jbcxrval.obj,jmpuwind.obj,strchr.obj,strrchr.obj,strstr.obj,wcschr.obj,wcsstr.obj
To Reproduce
dotnet new console
dotnet add package Microsoft.Azure.Cosmos
dotnet build
path\to\BinSkim.exe analyze -r bin\*
Expected behavior No failures reported by BinSkim.
Actual behavior Failures reported by BinSkim, as described above.
Environment summary SDK Version: 3.11.0 OS Version: Windows 10 (2004), 64-bit
Additional context The same issue occurs with the v2 SDK. See Azure/azure-cosmos-dotnet-v2#801
Issue Analytics
- State:
- Created 3 years ago
- Reactions:3
- Comments:7 (5 by maintainers)
Top Results From Across the Web
Binskim fails on native dependencies · Issue #2821
Describe the bug Duplicate of #1724 as the issue is not resolved. To Reproduce dotnet new console dotnet add package Microsoft.Azure.
Read more >Binskim scan is not working in Buddy\release
We have a failure that related to binskim in the master pipeline ... But this error didn't occur in Buddy pipeline, log to...
Read more >Running BinSkim from the Command-Line - GitHub
BinSkim will raise an error when the -q is specified without providing a log file location to persist result via the -o argument....
Read more >BinSkim, a linter for - Rating And 606 Alternatives
Find unused dependencies in Cargo.toml. It either prints out a "unused crates" line listing the crates, or it prints out a line saying...
Read more >Driver security checklist - Windows
This article provides a driver security checklist for driver developers to help reduce the risk of drivers being compromised.
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
The ServiceInterop.dll is included in the Microsoft.Azure.Cosmos.Direct package. This is included in the SDK. The fix was made in a internal repository where the Direct package is generated from.
Does anyone still see this issue with preview versions of Microsoft.Azure.Cosmos nugets? I’m still seeing it with version 3.35.2-preview. @j82w Is there anything special in preview versions that might be causing this?