Comments (3)
Changing Title from "Feature Request: Scan assemblies in VSIX/MSI packages" to "Feature Request: Scan assemblies in installers/packages".
This also should cover .zip flavor archives, like .nupkg and .cspkg
from binskim.
This is a reasonable request. We have avoided adding decompression to the tool so far in the spirit of ensuring that we remain focused on doing the best job possible with a narrow charter, inspecting portable executables.
If we add decompression, there is a large body of complexity that comes along with it. This includes figuring out how to decompress/stream binaries in order to analyze them. Naïve approaches like expanding to disk are slow, can fill the disk, create file paths that are too long, etc.
Obviously, there are many archive producers out there and they don't always emit various formats in a consistent way. Some producers emit nulls in the middle of streams which are handled in different ways by different decompression technologies. Generally, the .NET libraries do a decent job in this regard but I have seen failures.
I'm glad to keep discussing this topic. I can look around to see what the state of the world is as far as supporting libraries for the scenario. Maybe things have improved since last look.
from binskim.
I was just about to ask where my auto-nupkg scanning is :)
from binskim.
Related Issues (20)
- Guardian: PostAnalysis error [ EnableCriticalCompilerWarning] HOT 1
- Combability with .NET ReadyToRun and Self-Contained HOT 3
- BA2026 is reported as NotApplicable for native PE binaries compiled with /sdl switch
- BA2025, /CETCOMPAT and .NET Framework
- Users not able to know which file causes issue when exception loading pdb HOT 1
- BA2004 - Should exclude "AssemblyAttributes.obj" HOT 1
- BinSkim download from symbol server not working
- Unclear Error message when the path of the file too long
- Enabling disabled rules
- BinSkim BA2014 compatibility with the new Arm64EC files
- BinSkim BA2021 compatibility with R2R Linux binaries
- Put evidence of MSVC ASAN utilization in telemetry stream
- [RULE REQUEST] Check for the import of outdated (end-of-life) Visual C++ redistributable DLLs
- Special-case compiler generated `dummy.obj` file that fires `BA2004` HOT 1
- Whether to suppress ‘PDB not found’ errors for stub .exe that invokes the .net core entry point
- Introducing an alternative to Binskim: Binary Valentine (with GUI)
- --ignorePdbLoadError behavior changed
- Insecure (SHA-1) source code hashing algorithm (BA2004 error) on Visual Basic assembly targeting .NET FX HOT 2
- Question about releases? HOT 1
- Binskim reports Error:BA2004 with '/ZH:SHA_256' enabled for Unmanaged c++ dll HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from binskim.