Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Having folders in the binskim config causes it to fail. #8413

Merged
merged 1 commit into from
Oct 3, 2024

Conversation

marcpopMSFT
Copy link
Member

This was the only regex that worked so far. We'll fix again later if they give us something that works better. Right now 9.0.1xx CI builds are blocked so this at least unblocks that.

…only regex that worked so far. We'll fix again later if they give us something that works better.
@marcpopMSFT marcpopMSFT requested a review from a team as a code owner October 1, 2024 23:27
@marcpopMSFT marcpopMSFT requested a review from MiYanni October 2, 2024 19:57
analyzeTargetGlob: $(Build.SourcesDirectory)/artifacts/bin/**.dll;$(Build.SourcesDirectory)/artifacts/bin/**.exe;
analyzeTargetGlob: +:f|**\*.dll;+:f|**\*.exe;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This isn't the easiest way to do this because the 1ES PT doesn't have a codepath for the easiest way. 😡 This code would need to be changed: https://dev.azure.com/dnceng/_git/1ESPipelineTemplates?path=/v1/Core/Steps/Windows.SDL.Binary.Analysis.yml&version=GBmain&line=610&lineEnd=652&lineStartColumn=1&lineEndColumn=1&lineStyle=plain&_a=contents

Anyway, it should be easier to use the regex to match this stuff. This one matches paths that have artifacts\bin in the path and end with either .dll or .exe. This is the suggested way to do this via the docs: https://dev.azure.com/securitytools/SecurityIntegration/_wiki/wikis/Guardian/1378/Glob-Format?anchor=optimization

I've also forced the value to be a string in YAML by wrapping it in single quotes. Just makes it easier for the YAML parser to know the data type because of the symbols and junk in there. It is just safer to do in this situation.

Suggested change
analyzeTargetGlob: $(Build.SourcesDirectory)/artifacts/bin/**.dll;$(Build.SourcesDirectory)/artifacts/bin/**.exe;
analyzeTargetGlob: +:f|**\*.dll;+:f|**\*.exe;
analyzeTargetGlob: 'f:regex|artifacts\\bin\\.+\.(dll|exe)$'

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per offline chat, the above suggestion doesn't work because of bugs in 1ES:
##[error]AnalyzeArgumentNoValuesException: Argument Target has no values. Check your configuration. -- Additional arguments:Microsoft.Guardian.InvalidResponseFileContentsException: InvalidResponseFileContentsException: Cannot create a response file with zero arguments. Ensure that your arguments are correctly set up.

Copy link
Member

@MiYanni MiYanni left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This definitely isn't the right approach but to fix this properly requires testing different combinations of parameters and 1ES PT currently doesn't allow AnalyzeTargetBinskim, which is the easiest way to do this.

I just found out the right way. We would need to convert all the artifact publishing to use the output: syntax. That will automatically register those items we output in the build to be scanned by binskim. I verified this looking at the dotnet/project-system repo.

@marcpopMSFT marcpopMSFT merged commit f63a464 into release/9.0.1xx Oct 3, 2024
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants