[SARIF EXPORT]: Crash on export-collect: Unhandled exception. System.InvalidCastException: Unable to cast object of type 'System.Collections.Concurrent.ConcurrentBag`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]' to type 'System.Collections.Generic.List`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]'.
See original GitHub issueDescribe the bug I’m currently trying to automate our manual “Attack Surface Analyser” step into our CI. The scanning of both the baseline and the new system state seem to be fine. However when running the “export-collect”-step, I’m seeing this failure:
[2022-04-28T13:52:01.085Z] [06:52:00 INF] Completed Analysis in 00h:00m:02s:531ms.
[2022-04-28T13:52:01.085Z] Unhandled exception. System.InvalidCastException: Unable to cast object of type 'System.Collections.Concurrent.ConcurrentBag`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]' to type 'System.Collections.Generic.List`1[Microsoft.CST.AttackSurfaceAnalyzer.Objects.CompareResult]'.
[2022-04-28T13:52:01.085Z] at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.GenerateSarifLog(Dictionary`2 output, IEnumerable`1 rules) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 765
[2022-04-28T13:52:01.086Z] at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.WriteSarifLog(Dictionary`2 output, IEnumerable`1 rules, String outputFilePath) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 705
[2022-04-28T13:52:01.086Z] at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.ExportCompareResults(ConcurrentDictionary`2 resultsIn, ExportOptions opts, String baseFileName, String analysesHash, IEnumerable`1 rules) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 680
[2022-04-28T13:52:01.086Z] at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.RunExportCollectCommand(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 627
[2022-04-28T13:52:01.086Z] at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.<>c.<Main>b__9_2(ExportCollectCommandOptions opts) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 90
[2022-04-28T13:52:01.086Z] at CommandLine.ParserResultExtensions.MapResult[T1,T2,T3,T4,T5,T6,T7,T8,T9,TResult](ParserResult`1 result, Func`2 parsedFunc1, Func`2 parsedFunc2, Func`2 parsedFunc3, Func`2 parsedFunc4, Func`2 parsedFunc5, Func`2 parsedFunc6, Func`2 parsedFunc7, Func`2 parsedFunc8, Func`2 parsedFunc9, Func`2 notParsedFunc)
[2022-04-28T13:52:01.086Z] at Microsoft.CST.AttackSurfaceAnalyzer.Cli.AttackSurfaceAnalyzerClient.Main(String[] args) in D:\a\1\s\Cli\AttackSurfaceAnalyzerClient.cs:line 72
script returned exit code -532462766
Might be related to #638 and #643.
Background: In the past, we manually scanned our software using the GUI of `Microsoft Attack Surface Analyzer v1.0.0. Now we are trying to automate this and would also like to use the latest version of the software (v2.3.277 when I installed it).
To Reproduce
- Baseline scan:
asa collect -a --overwrite --runid baseline
- Install and run software to be scanned
- New scan:
asa collect -a --overwrite --runid installed
- Run comparison:
mkdir asareport
asa export-collect --firstrunid baseline --secondrunid installed --verbose --outputpath "ABSOLUTEPATHTO\asareport" --outputsarif
Expected behavior Report files are written and software does not crash.
System Configuration (please complete the following information):
- OS: Windows
- OS Version: Windows 10 Pro, amd64, 21H1, 19043.165, en_US running on VirtualBox v6.1.34
- Application Version: AttackSurfaceAnalyzer v.2.3.277+40072595ef
- CLI or GUI: cli
Additional Context I haven’t tried the version before #643 yet but will do so to see if downgrading fixes our problem.
Issue Analytics
- State:
- Created a year ago
- Comments:5 (2 by maintainers)
Top GitHub Comments
Thanks for fixing it so fast! I can confirm that v2.3.282+7c5be27ab2 fixes the problem
Thank you for the detailed report - and for mailing down the specific version. I suspect this is a regression caused by a concurrency fix (changing some lists that were being .added to in multiple threads to thread safe structures.)
I’ll take a look this afternoon, it should be a quick fix.